Login

Tag Archives: Bill Toulas

27 Jan 2025

Patchstack Apparently Didn’t Take Basic Step to Get Unfixed Exploitable Vulnerabilities Fixed Before Disclosing Them

Last week WordPress security provider Patchstack disclosed what they claimed was an unfixed exploitable vulnerability in a WordPress theme and one in a related WordPress plugin. We say claim, because some of the information they provided appeared on its face to be very wrong. Early in the post, they wrote that “code that handles user input didn’t have any authorization or nonce check.” Code that handles user input doesn’t necessarily require authorization or a nonce check. For example, doing a search on a WordPress based website doesn’t require either of those things, despite involving user input. A more salient point is they then promptly showed the code and that not only contained a nonce check, but even had a comment about it, “First check the nonce, if it fails the function will break:”

[Read more]

26 Jan 2024

Contrary to Bleeping Computer Story, Hackers Don’t Seem to Have Targeted Security Issue in Better Search Replace

Yesterday, the Bleeping Computer ran a story headlined “Hackers target WordPress database plugin active on 1 million sites,” written by Bill Toulas. The plugin being referenced was Better Search Replace, which had a security change in the latest version. There doesn’t appear to have been a hacker targeting it, though.

The only thing backing up that headline was described this way: [Read more]

22 Jan 2024

Many CVE Records Are Listing the Wrong Versions of Software as Being Affected

A couple of weeks ago, the Bleeping Computer ran a story claiming that over 150,000 websites were vulnerable due to a vulnerability that had been in a WordPress plugin. That count was based in part in believing that all previous versions of the plugin were vulnerable:

The issue impacts all versions of the plugin up to 2.8.7 [Read more]

27 Apr 2023

Bleeping Computer’s Bill Toulas Falsely Blames WordPress Plugin When Sucuri Fails to Protect Their Customers

As we have noted in the past, the GoDaddy owned security provider Sucuri keeps writing blog posts about what has happened to their customers’ websites after they have been hacked. They seem uninterested in how those websites were hacked, despite the importance of figuring that out as part of properly cleaning up a website. And, more importantly, they are uninterested in that despite being a service that is supposed to protect websites from being hacked. At best, these are new customers, but they don’t mention that, which would seem like an obvious thing to mention when you are a service that is supposed to avoid that situation. If you look at reviews of Sucuri, there are plenty of customers mentioning they were hacked despite already using the service (some of them with a positive view of the company, despite that).

You would reasonably think that journalists writing stories that cite those posts would be in the context of raising questions about Sucuri, but they don’t. In a recent instance, the WordPress Plugin Directory was being criticized instead. [Read more]

6 Apr 2023

Security Journalists Baselessly Claim Millions of WordPress Sites at Risk From Recent Vulnerability

Last week, a story about a recent fixed vulnerability in Elementor Pro from the news outlet Bleeping Computer was headlined with the claim that the plugin had 11 million installs, “Hackers exploit bug in Elementor Pro WordPress plugin with 11M installs”. In the body of the story, the author Bill Toulas claimed that the plugin is “used by over eleven million websites”. No source was given for the claim and a comment asking what the source went unanswered.

Contradicting that, an Ars Technica story from Dan Goodin claimed it is “running on more than 12 million sites”. The headline of the story also emphasized millions of websites, “Hackers exploit WordPress plugin flaw that gives full control of millions of sites”. Again, no source was provided for the claim. [Read more]

27 Feb 2023

Bleeping Computer’s Bill Toulas Spreads Common Misconception About Impact of SQL Injection Vulnerabilities in WordPress Plugins

We often see confusion over the potential impact of one type of vulnerability, SQL injection, that can exist in WordPress plugins. The confusion seems to stem in part from the name of the vulnerability, though that doesn’t explain it entirely. The SQL part refers to a SQL statement, a query being made of a database, but it is easy enough to think that refers to the database itself. With the misinterpretation, then this would refer to database injection, or injecting something into the database. Confusion over this was recently spread by a journalist not really doing journalism.

A recent Bleeping Computer story by Bill Toulas involved SQL injection vulnerabilities in three WordPress plugins. He accurately described what SQL injection is: [Read more]

10 Jan 2023

“New” Linux Malware Attempting to Exploit WordPress Plugin Vulnerabilities is Actually Years Old

Recently the security news outlet Bleeping Computer ran a story from Bill Toulas with the headline “New Linux malware uses 30 plugin exploits to backdoor WordPress sites”, but the only cited source for the story, Doctor Web stated that it was likely more than three years old (emphasis ours):

revealed that it could be the malicious tool that cybercriminals have been using for more than three years [Read more]