25 Sep

WordPress Isn’t Allowing Users of DELUCKS SEO to Get New Version of the Plugin That Fixes Exploited Vulnerability

When it comes to the poor security surrounding WordPress plugins what we have long found so unfortunate is that it would be easy for the team running the Plugin Directory to improve the situation, but for reasons that have never made sense they continue to refuse to do things that would make a big difference and likely greatly reduce the number of websites being hacked (we and others have repeatedly offered to help them do those things).

One of the problems we have long seen is that after plugins are closed on the Plugin Directory due to vulnerabilities, even after the vulnerability has been fixed, the plugin remains closed, so those already using the plugin can’t get the updated version. This often looks to be because the team running the Plugin Directory requires more changes to be made, sometimes security related. The problem with that is that if those websites could update they would stop the possibility of the fixed vulnerability being exploited. [Read more]

18 Jun

Why Did ZDNet Allow Disgruntled Security Journalist Catalin Cimpanu To Publish a Fictional Story on Their Zero Day Blog?

When it comes to security journalism, things are not in very good shape, which has a decided negative impact on improving security, whether with WordPress plugins or otherwise. Part of that seems to stem from the fact that many of the people doing security journalism don’t seem to have the skills necessary to do that. As an example of that, take something we ran across earlier this year when we were looking over someone’s Twitter account for more information related to a claim of a vulnerability in a WordPress plugin and ran across this tweet that they had retweeted:

11 Apr

Why Are Journalist Spreading Wordfence’s (aka Defiant’s) Lies About Us?

Here’s a timeline of the recent situation with the WordPress plugin Related Posts (Yuzo Related Posts):

Yet here was Lawrence Abrams at the Bleeping Computer yesterday: [Read more]

13 Feb

The Missing Story About WordPress Plugin Developers’ Failure To Make Sure Their Plugins Are Secure

Coverage of WordPress plugin vulnerabilities is rather poor and coverage of an authenticated option update vulnerability in the plugin Simple Social Buttons disclosed on Monday was no exception. For example, you had a security journalist that frequently spreads false and misleading information, Catalin Cimpanu, make this statement in regards to WordPress:

Some sites are inherently protected against this vulnerability, as their admins have already blocked user registration due to security reasons. [Read more]

31 Oct

Full Disclosure of CSRF/SSRF Vulnerability in WordPress Plugin With 800,000+ Installs

One of the impediments we see to improving security of WordPress plugins (as well as security in general) is that security journalist don’t provide a good picture of what is and isn’t going on, so others don’t understand what is actually needed to be done to improve the situation. One recent example comes from Catalin Cimpanu at ZDNet’s Zero Day blog who put forward this one sided (at best) portrayal of the handling of the security of WordPress plugins by the people on the WordPress side of things:

Campbell says the WordPress team has been collaborating with the authors of the most popular plugins on its Plugins repository. It’s been helping these plugins follow best coding practices. [Read more]

22 Oct

Security Issues Related to jQuery File Upload Not Unknown To InfoSec Community As Security Journalists Claim

We generally avoid following news coverage of web security since it is of such poor quality and when we do have to look at examples of it due to a news alert we have to keep track of vulnerabilities in WordPress that view is reinforced. Take this post on ZDNet’s Zero Day blog, “Zero-day in popular jQuery plugin actively exploited for at least three years“, by Catalin Cimpanu, which makes this claim:

It is pretty clear from the videos that the vulnerability was widely known to hackers, even if it remained a mystery for the infosec community. [Read more]

24 Sep

ZDNet’s Zero Day Blog Claims to Have Revealed Something That We Had Already Discussed Well Beforehand

When it comes to actually trying to improve the poor state of web security one of the big impediments are security journalists, who often act not as journalists, but as stenographers repeating claims made by security companies with little concern for their accuracy or actual significance. A case in point with that comes from  a post from ZDNet’s Zero Day blog (which at least in the past was run by people that didn’t even understand what a zero-day is), titled “Thousands of WordPress sites backdoored with malicious code”, which we got notified due to a Google alert we have set related to WordPress plugin vulnerabilities.

It is not clear exactly how many websites are running WordPress, but one figure put out by Forbes was 75 million, so thousands of websites running it being hacked seems less than significant. In fact there doesn’t really seem to be anything significant about what is being described in the post. The problem with covering things like that is that it gives an inaccurate picture of security of WordPress, since certainly many more than thousands of website not running WordPress are also hacked each month and this can cause people to choose less secure software to use on their website because of skewed coverage. There are also plenty of issues surrounding the security WordPress that could be covered instead of this type of thing, but journalists don’t seem to be interested in covering more significant issues. [Read more]