Login

Tag Archives: Bleeping Computer

27 Jan 2025

Patchstack Apparently Didn’t Take Basic Step to Get Unfixed Exploitable Vulnerabilities Fixed Before Disclosing Them

Last week WordPress security provider Patchstack disclosed what they claimed was an unfixed exploitable vulnerability in a WordPress theme and one in a related WordPress plugin. We say claim, because some of the information they provided appeared on its face to be very wrong. Early in the post, they wrote that “code that handles user input didn’t have any authorization or nonce check.” Code that handles user input doesn’t necessarily require authorization or a nonce check. For example, doing a search on a WordPress based website doesn’t require either of those things, despite involving user input. A more salient point is they then promptly showed the code and that not only contained a nonce check, but even had a comment about it, “First check the nonce, if it fails the function will break:”

[Read more]

18 Nov 2024

Wordfence and “Security News” Outlets Falsely Claim 4 Million WordPress Websites Were Affected by Vulnerability

For reasons we have never understood, various websites portraying them as security news outlets are treated a reliable news outlets, despite not really being news outlets. They are also included in Google News, despite a long history of publishing misleading to outright false claims related to WordPress security. One of those is the Bleeping Computer. In the latest incident related to WordPress, one of their writers, Bill Toulas, wrote a post a titled “Security plugin flaw in millions of WordPress sites gives admin access.” At the end of his post, he gave a more specific figure for the number of websites impacted, 3.5 million:

As of yesterday, the WordPress.org stats site, which monitors installs of the free version of the plugin, showed approximately 450,000 downloads, leaving 3,500,000 sites potentially exposed to the flaw. [Read more]

26 Jan 2024

Contrary to Bleeping Computer Story, Hackers Don’t Seem to Have Targeted Security Issue in Better Search Replace

Yesterday, the Bleeping Computer ran a story headlined “Hackers target WordPress database plugin active on 1 million sites,” written by Bill Toulas. The plugin being referenced was Better Search Replace, which had a security change in the latest version. There doesn’t appear to have been a hacker targeting it, though.

The only thing backing up that headline was described this way: [Read more]

22 Jan 2024

Many CVE Records Are Listing the Wrong Versions of Software as Being Affected

A couple of weeks ago, the Bleeping Computer ran a story claiming that over 150,000 websites were vulnerable due to a vulnerability that had been in a WordPress plugin. That count was based in part in believing that all previous versions of the plugin were vulnerable:

The issue impacts all versions of the plugin up to 2.8.7 [Read more]

19 Jul 2023

Wordfence Doesn’t Admit That WordPress Had Already Provided Protection for “Massive Exploit Campaign” Before Them

Where WordPress firewall plugins are really useful is for providing protection before a vulnerability is known about, as at that point they can offer protection that other solutions can’t. That was on display with a recent widely exploited zero-day that web application firewalls (WAFs) didn’t protect against, but two firewall plugins did.

Notably, though, the most popular WordPress firewall plugin Wordfence Security didn’t provide protection in that situation. That is a reoccurring situation. That isn’t surprising considering that the business model associated with the plugin is based on selling firewall rules for vulnerabilities once they are already known about (and more troublingly selling hack cleanups despite claiming their firewall “stops you from getting hacked”). If they provided the type of protection the two best firewall plugins do, it would largely remove the need for those rules. Incredibly, they refer to their belated rule based protection in their Wordfence Premium service as being “real-time” protection. [Read more]

16 May 2023

Akamai SIG’s Advanced Custom Fields (ACF) Attack Claim Confuses Script Kiddie With Attacker

In the past couple of days there have been scary sounding claims from journalists related to a recently fixed reflected cross-site scripting (XSS) vulnerability in the WordPress plugin Advanced Custom Fields (ACF), which we had detailed on May 4 after a machine learning (AI) based system we have flagged the fix being made. The journalists claimed that an attacker was trying to exploit this. With headline claims including, “Hackers target WordPress plugin flaw after PoC exploit released” from the Bleeping Computer, as well as “Hackers exploit WordPress vulnerability within hours of PoC exploit release” from CSO Online, and “ACF Plugin’s Reflected XSS Vulnerability Attracts Exploit Attempts Within 24 Hours of Public Announcement” from the WP Tavern.

Those stories are somewhat inaccurate, as they are citing another company’s disclosure a day after us as being when the vulnerability was disclosed. But the far larger issue is that it seemed highly unlikely that an attacker was really trying to exploit this. If this was true, it would be rather news worthy since we have seen no evidence of any wide scale exploitation of reflected XSS vulnerabilities in WordPress plugins. It turns out the source for those stories, Akamai Security Intelligence Group (SIG) confused a script kiddie with an attacker, leading to those misleading stories. [Read more]

27 Apr 2023

Bleeping Computer’s Bill Toulas Falsely Blames WordPress Plugin When Sucuri Fails to Protect Their Customers

As we have noted in the past, the GoDaddy owned security provider Sucuri keeps writing blog posts about what has happened to their customers’ websites after they have been hacked. They seem uninterested in how those websites were hacked, despite the importance of figuring that out as part of properly cleaning up a website. And, more importantly, they are uninterested in that despite being a service that is supposed to protect websites from being hacked. At best, these are new customers, but they don’t mention that, which would seem like an obvious thing to mention when you are a service that is supposed to avoid that situation. If you look at reviews of Sucuri, there are plenty of customers mentioning they were hacked despite already using the service (some of them with a positive view of the company, despite that).

You would reasonably think that journalists writing stories that cite those posts would be in the context of raising questions about Sucuri, but they don’t. In a recent instance, the WordPress Plugin Directory was being criticized instead. [Read more]

6 Apr 2023

Security Journalists Baselessly Claim Millions of WordPress Sites at Risk From Recent Vulnerability

Last week, a story about a recent fixed vulnerability in Elementor Pro from the news outlet Bleeping Computer was headlined with the claim that the plugin had 11 million installs, “Hackers exploit bug in Elementor Pro WordPress plugin with 11M installs”. In the body of the story, the author Bill Toulas claimed that the plugin is “used by over eleven million websites”. No source was given for the claim and a comment asking what the source went unanswered.

Contradicting that, an Ars Technica story from Dan Goodin claimed it is “running on more than 12 million sites”. The headline of the story also emphasized millions of websites, “Hackers exploit WordPress plugin flaw that gives full control of millions of sites”. Again, no source was provided for the claim. [Read more]

27 Feb 2023

Bleeping Computer’s Bill Toulas Spreads Common Misconception About Impact of SQL Injection Vulnerabilities in WordPress Plugins

We often see confusion over the potential impact of one type of vulnerability, SQL injection, that can exist in WordPress plugins. The confusion seems to stem in part from the name of the vulnerability, though that doesn’t explain it entirely. The SQL part refers to a SQL statement, a query being made of a database, but it is easy enough to think that refers to the database itself. With the misinterpretation, then this would refer to database injection, or injecting something into the database. Confusion over this was recently spread by a journalist not really doing journalism.

A recent Bleeping Computer story by Bill Toulas involved SQL injection vulnerabilities in three WordPress plugins. He accurately described what SQL injection is: [Read more]

10 Jan 2023

“New” Linux Malware Attempting to Exploit WordPress Plugin Vulnerabilities is Actually Years Old

Recently the security news outlet Bleeping Computer ran a story from Bill Toulas with the headline “New Linux malware uses 30 plugin exploits to backdoor WordPress sites”, but the only cited source for the story, Doctor Web stated that it was likely more than three years old (emphasis ours):

revealed that it could be the malicious tool that cybercriminals have been using for more than three years [Read more]