Login

Tag Archives: Authenticated Option Update

12 Dec 2018

Our Proactive Monitor Caught Another Authenticated Option Update Vulnerability in a WordPress Plugin That Could Disable Websites

On Monday while disclosing another option update vulnerability we noted that in the wake of one of those being widely exploited recently we had focused on finding more of those vulnerabilities, while it appears no one else in the WordPress security has done that (maybe because they can get away with lying about failing to protect against the widely exploited one). And no sooner than the next day did we find yet another vulnerability. We spotted it during our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins, though the vulnerable code was not flagged by the software that we use to identify possible issues for us to review, instead that had flagged another possible instance of that same type of vulnerability in the same code and when we went to manually review the code we found the issue.

While the vulnerability doesn’t appear to allow for takeover of a website, it would allow for anyone logged in to WordPress to disable the website with a single request. Since the plugin in question, Dokan, is only usable with the WooCommerce eCommerce plugin, which is often set to create WordPress accounts for those making orders, that means that many or most of the 10,000+ active installations of the plugins (according to wordpress.org) would be impacted. It could also be exploited by getting someone logged in to WordPress to access a page controlled by an attacker. [Read more]

10 Dec 2018

Our Improved Proactive Monitoring Caught Another Authenticated Option Update Vulnerability in a WordPress Plugin

When it comes to the hackings of WordPress websites due to the software on them, those are largely due to security issues in WordPress plugins. So you would assume that a major focus of security companies involved in the security of WordPress websites would be based around those, but what we have found is that isn’t true. Often others in the industry are warning about vulnerabilities weeks after us (and often only after they have been wide spread exploitation attempts) and they spend a troubling amount of time making up threats that don’t really exist (maybe because it is easy to protect against non-existent threats). In the wake of an option update vulnerability in the plugin WP GDPR Compliance being widely exploited the response of one high profile company that failed to protect their paying customers was to lie about that.

While we provided our customers with warning ahead of exploitation of that vulnerability, we look at every situation where there is large scale exploitation as an opportunity to improve what we do. There is still an idea we have to improve based on what happened in that situation that we haven’t implemented, but others we implemented right away. One of those was trying to detect more of vulnerabilities like the one that was exploited. That lead to us spotting the same kind of vulnerability in one of the 1,000 most popular plugins less than a week later, which would go on to be exploited as well. Others in the security industry have just been becoming aware of that even though it has almost been a month since we warned about. In the meantime we have been catching more vulnerabilities relating to that type of issue. [Read more]

5 Dec 2018

Our Improved Proactive Monitoring Already Caught Another Option Update Related Vulnerability in a WordPress Plugin

Yesterday we noted that our newly improved proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins, which built on code we had developed for our Plugin Security Checker, an automated tool you can use to check if plugins you use contain possible security issues, had already caught a fairly serious vulnerability, one that could leave a website fully disabled. That vulnerability was yet another vulnerability due to insecure usage of the update_option() function that we have found in the wake of one of those being widely exploited. Today that monitoring caught a more serious vulnerability related to that function, since this vulnerability could be use to take full control of websites and while it requires the attacker to logged in to WordPress, the plugin in question, ARMember Lite, is a membership plugin, so it would be on websites that would probably allow for user registration.

This vulnerability is yet another good reason to check plugins you use through our Plugin Security Checker since it would already have notified you of this possible issue. It is flagging a huge amount of other possible security issues in the plugin, so anyone using it that is concerned about security would be best to make sure someone that has the proper skill sets further reviews the plugin and checks if there are other security issues that need to be fixed in the plugin. Paying customers of our service can suggest/vote for plugins to receive a security review from us. We also offer security reviews of a plugin separately from our service. [Read more]

19 Nov 2018

Our Proactive Monitoring Caught an Authenticated Option Update Vulnerability in a WordPress Plugin with 10,000+ Install

In the wake of widespread exploitation of an option update vulnerability in the WordPress plugin WP GDPR Compliance the difference in our response to others in the WordPress security community has been a reminder that unfortunately we are largely alone in trying to actually make WordPress websites more secure against security issues in WordPress plugins.

For example, Defiant the company behind the Wordfence Security plugin, which had failed to protect even those using their paid service, Wordfence Premium, decided to respond to that by lying and claiming those using it were “covered”. You also have the team that handles the security of plugins on the WordPress side of things seem to have had no interest in considering that they are not properly handling when to force out updates, which could prevent lots of websites being unnecessarily hacked in the future. [Read more]