Login

Tag Archives: Automattic

10 Jun 2022

Not Really a WordPress Plugin Vulnerability, Week of June 10

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Reflected Cross-Site Scripting in Newsletter

Automattic’s WPScan claimed the plugin Newsletter contained reflected cross-site scripting (XSS) vulnerability, where the “vulnerability” would require using a web browser that hasn’t been received security updates for five years: [Read more]

1 Jun 2022

“Vulnerability” In 1+ Million Install WordPress Plugin XML Sitemaps (Google XML Sitemaps) Didn’t Lead to Backdoor on Websites

On April 6, the WordPress plugin XML Sitemaps (Google XML Sitemaps) was closed on WordPress’ plugin directory. The only information given was this vague message:

This plugin has been closed as of April 6, 2022 and is not available for download. This closure is temporary, pending a full review. [Read more]

27 May 2022

Not Really a WordPress Plugin Vulnerability, Week of May 27

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Reflected Cross-Site Scripting in WP Statistics

Automattic’s WPScan made this claim about a supposed reflected cross-site scripting vulnerability in the plugin WP Statistics: [Read more]

25 May 2022

600,000+ Install WordPress Plugin WP Statistics Isn’t Properly Securing Its Optimization Functionality

Yesterday the JVN released a vague report claiming that a cross-site scripting (XSS) vulnerability had been fixed in version 13.2.0 of the WordPress plugin WP Statistics. There isn’t enough information provided to confirm that there was a vulnerability or that it was fixed.

Confusingly, one of our competitors, Automattic’s WPScan, is citing that report as the source for a claim that a vulnerability was fixed in version 13.2.2 of the plugin: [Read more]

20 May 2022

Not Really a WordPress Plugin Vulnerability, Week of May 20

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ Reflected Cross-Site Scripting in Smush

A couple of weeks ago Automattic’s WPScan claimed that the plugin Smush had contained an admin+ reflected cross-site scripting vulnerability that involves somehow getting an Administrator to upload a file to their website: [Read more]

11 May 2022

WordPress Plugin Developer Security Advisory: anadnet

One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing their plugins and others get them properly secured when alerted they haven’t done that, while other plugin developers either are unable or unwilling to properly secure their plugins. With the latter group, among the issues we have seen, are developers who have introduced new serious vulnerabilities that are substantially similar to vulnerabilities that they know have been exploited in their plugins.

In situations where we become aware of developers who have shown that inability or unwillingness to properly secure their plugin, we are releasing advisories to warn customers of our service and the wider WordPress community of the risk of utilizing those developers’ plugins. In addition to checking those posts on our website for information on those advisory, we provide access to the information in several other forms. That includes through the companion plugin for our service, even when not using the service, as well as through a web browser extension and through separate data accessible from our website. [Read more]

4 May 2022

Another Instance of Automattic Providing Misleading Information About Security of Competing WordPress Security Plugin

The company closely associated with WordPress, Automattic, has the most popular WordPress security plugin by installs, Jetpack. It has 5+ millions installs according to wordpress.org. Recently another piece of Automattic, WPScan claimed a competing plugin, All In One WP Security, which has 1+ million installs had contained a reflected cross-site scripting (XSS) vulnerability despite that vulnerability appearing to not exist. That isn’t the only recent instance of that happening.

Recently they claimed there had been a reflected cross-site scripting vulnerability in Anti-Malware Security and Brute-Force Firewall, which has 200,000+ installs. They wrote this (that is the whole sentence, they keep missing periods at the end of sentences): [Read more]

29 Apr 2022

Wordfence Doesn’t Appear to Understand the Security Implications of a Backup Plugin

A little over a month ago we noted that Automattic’s WPScan didn’t appear to understand the concept of a backup plugin, as they claimed that 4+ million install WordPress backup plugin, All-in-One WP Migration, contained a vulnerability that:

allows administrators to upload PHP files on their site [Read more]

26 Apr 2022

Automattic Appears to Have Falsely Claimed That Competing WordPress Security Plugin Contained Reflected XSS Vulnerability

The company closely associated with WordPress, Automattic, has the most popular WordPress security plugin by installs, Jetpack. It has 5+ millions installs according to wordpress.org. Recently another piece of Automattic, WPScan claimed a competing plugin, All In One WP Security, which has 1+ million installs had contained a reflected cross-site scripting (XSS) vulnerability (emphasis ours):

The plugin does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of this issue requires the Login Page URL value to be known, which should be hard to guess, reducing the risk [Read more]

25 Apr 2022

Automattic’s WPScan Didn’t Do Basic Verification on Claimed Vulnerability in WordPress Plugin with 700,000+ Installs

Automattic owned security service WPScan is marketed with the claims that they provide “Enterprise-strength WordPress protection for everyone” and that they have a “dedicated team of WordPress security experts”. The reality is very different.

Among many issues we run across with their data is that they are frequently falsely claiming that plugins have had vulnerabilities, in situations where, say, the claimed vulnerability involves an action taken by an Administrator that the plugin is intended to allow and still allows after the supposed vulnerability has been fixed. [Read more]