Login

Tag Archives: Automattic

21 Mar 2022

The “Security Experts” at Automattic’s WPScan Don’t Appear to Understand the Concept of a Backup Plugin

One of the biggest problems we run into while compiling data on vulnerabilities in WordPress plugins these days is the amount of false reports out there. While there has been a problem with that for years, what makes it more problematic now is that “security experts” are spreading these false claims instead of knocking them down. One frequent source of that is WPScan, which is owned by the company closely connected with WordPress, Automattic. That entity is marketed with the claim that they are a “Dedicated team of WordPress security experts”, which doesn’t match up with we keep seeing.

Recently we saw what looked to be a hacker probing for usage of the plugin All-in-One WP Migration. We couldn’t find a good explanation for why that would be, either a recently fixed vulnerability in the plugin or an unfixed vulnerability that currently exists in the plugin. But WPScan did recently put out a false report of a vulnerability in the plugin that it seems like a hacker might have thought was something they could exploit. [Read more]

12 Oct 2021

WPScan Claims a Vulnerability Was Fixed in Version of WordPress Plugin That Doesn’t Exist

One of the many problems that plagues security is the lack of concern with the truth from so many people involved in it. You would think that wouldn’t be the case with trust being an important part of security, but that is the case, hence security being in such bad shape. That is common when it comes to information on vulnerabilities in WordPress plugins, where we find that critical information, including if vulnerabilities have actually been fixed, is often inaccurate. While there understandable mistakes, that clearly isn’t an explanation for most it. Take something we noticed with one company that clearly isn’t interested in accuracy, WPScan.

Yesterday we discussed looking in to why a hacker might be targeting a commercial WordPress plugin Cooked Pro. While looking in to that, we came across a WPScan entry that claimed a vulnerability had been fixed in the related free Cooked plugin in version 1.7.5.6: [Read more]

23 Aug 2019

Automattic Has a lot of Work to do on the Security of the Zero BS WordPress CRM Plugin

A couple of months ago we discussed Automattic’s concern or lack thereof for the security of WordPress plugins in the context of them causing an insecure plugin from Facebook to be installed on websites using their WooCommerce plugin. A week ago it was announced they had purchased the plugin Zero BS WordPress CRM. After seeing that we started to take a quick look over the security of the plugin, but we didn’t get far in to that before finding the plugin has some obvious security issues.

As one quick example of the insecurity, we found that someone that could get a logged in Administrator to click a link, say one left in a comment on the website, could cause all of the plugin’s data to be deleted, which is pretty big issue for a CRM plugin. So it would appear that Automattic didn’t do security due diligence of the plugin before the purchase, considering if they had, they should have reported the issues to the developer and they should have been fixed by now. [Read more]

19 Jun 2019

If Facebook’s Handling of the Security of Their WordPress Plugins Is Any Indication, They Don’t Seem Too Concerned About Security

On Monday we discussed that two of Facebook’s plugins for WordPress contained vulnerabilities due to basic security failures (and mentioned in passing that another is also insecure due to the same type of issue). There attempts to resolve the vulnerabilities continued to show a lack of concern and or understanding of security, at least when it comes to WordPress plugins. It also makes you wonder what the people running the WordPress Plugin Directory are up to since they know these plugins were vulnerable and didn’t make sure they were properly fixed.

Missing Capabilities Check

With the less popular of the vulnerable plugins, Messenger Customer Chat, which has 20,000+ installs according to WordPress, we wrote this about the issue: [Read more]

17 Jun 2019

Automattic is Having WooCommerce Install by Default an Insecure Plugin by Facebook

The line between the open source project WordPress and the company Automattic is often blurry. You can find journalists referring to the latter as owning the former, despite that not being true. The person who resigned a couple of week as the Marketing and Communications Lead for WordPress mentioned that they were often assumed to be an Automattic employee or as the token non-Automattic team member:

My position is unclear, not just to me, but to many people which makes me uncomfortable. I’ve been asked dozens of times on Twitter, Facebook and at WordCamps why I now work for Automattic, which of course I don’t but that is the perception for a lot of people. On other occasions I seem to be the token non-Automattician, which I’m also uncomfortable with. [Read more]

13 Jul 2017

Image Upload Capability in WordPress Plugin Being Abused

The security industry has more than its fair share of snake oil and hucksters, which seems like it can be explained in part due to the fact that people that don’t know and or care about security can make claims that those more knowledgeable would never make.  For example, somebody that has a basic understanding of security wouldn’t claim their WordPress security plugin “stops you from getting hacked” because a WordPress plugin would not have any chance of stopping certain types of attacks (yet somehow the most popular plugin makes this claim). Not only is security extremely complicated, but things are frequently changing, so you need to keep adjusting as new threats come about and existing ones change. Along those lines we thought it important to share something we ran across yesterday about the abuse of a popular plugin’s intended functionality.

One of the ways we keep track of plugin vulnerabilities out there is by monitoring the WordPress Support Forum for threads that might be relevant. Through that, this week have added three newly disclosed vulnerabilities that exist in the most recent version of their respective plugins, including one in a plugin with 1+ million active installs, to our data set,. Those are vulnerabilities you won’t find in any other source of WordPress plugin vulnerabilities data due to no one else doing the kind of extensive monitoring we do. Through that monitoring we also came across a report of abuse of the image upload capability in the plugin WP Job Manager. [Read more]

13 Jun 2017

Automattic Seems More Committed to Marketing Their Jetpack Service Than to a Safer WordPress Experience

For years WordPress has been knowingly leaving websites at risk of being hacked due to a refusal to warn when plugins are in use that known to be vulnerable and have been removed from the Plugin Directory due to that fact. Considering the damage that is caused by this and there not being any reasonable argument for not warning people, at times when removed plugins have been widely exploited we have started to wonder if this might not be due to gross negligence, but if there might be a more nefarious explanation.

The company closely associated with WordPress, Automattic, does have a several products marketed as security products, Jetpack and VaultPress, so allowing websites to be hacked to help those services could be an explanation, though we highly doubt it. That being said Automattic doesn’t seem to have the best interest of the public when it comes to security. For example, they have helped other security companies in pushing the false notion that there are many brute force attacks against WordPress admin logins, which takes the focus away from real security threats like unfixed vulnerable plugins. [Read more]