The first entry in the changelog for the latest version of the WordPress plugin Formidable Forms suggested that a cross-site request forgery (CSRF) vulnerability had been fixed in the new version:
…
Last year, Patchstack vaguely claimed that the plugin Maspik – Spam blacklist contained a cross-site request forgery (CSRF) vulnerability. About the only detail provided was tha it was supposed to have been fixed in version 0.7.9. The changelog for that version doesn’t suggest a vulnerability was fixed, as it reads “Bug fix (Please update ASAP!)”.
…
We were recently alerted that one of our customers started using a WordPress plugin, Duplicate Post Page Menu & Custom Post Type, which has been closed on the WordPress Plugin Directory. The reason given for the closure is:
…
While trying to work through a vulnerability claim with a non-working proof of concept that a vulnerability had previously existed in the WordPress plugin Clearfy, we noticed a minor but rather obvious vulnerability in the plugin. That involves a lack of protection against cross-site request forgery (CSRF) when accessing one of it options for cache clearing. An attacker could cause an Administrator to clear the cache without intending it, which shouldn’t be much of an issue, unless it could be combined with another more serious issue.
The plugin has an admin bar item. It includes two cache clearing options. The URL for one of those, “Clear all cache”, looks like this: /wp-admin/plugins.php?wclearfy_cache_delete=1. The URL for the other one of those, “Clear cache (0%)”, looks like this: /wp-admin/plugins.php?wbcr_mac_clear_cache=1&_wpnonce=11522b67fc. The second URL format includes a nonce, which is used to prevent CSRF. [Read more]
The changelog for the latest version of the WordPress plugin WP Server Health Stats is “Fixed CSRF vulnerability (CVSS 3.1 score) reported by Patchstack.” Looking at the changes made we found that referred to attempting to address an issue that allows an attacker to cause someone logged in to WordPress to purge the plugin’s cache without them intending it, which would be a cross-site request forgery (CSRF) vulnerability. The developer had attempted to fix that it in the new version, but didn’t do so correctly, so the really minor vulnerability still exists.
…
In September, we wrote about how the WordPress plugin POST SMTP, which has 300,000+ installs, still contained SQL injection issues months after a public claim of a vulnerability involving that (and still does today). We also noted that the plugin was part of one of our competitors, Patchstack, Vulnerability Disclosure Program (VDP). The program doesn’t really make sense, as we noted at the time, because you are contacting a third-party security provider instead of the developer of software who can actually address vulnerabilities. It also wasn’t possible through that program to report security issues that are not vulnerabilities, despite the need for developer to address them. If a plugin developer is part of that program, it would suggest they lack an interest in properly securing their plugins, which the security of this plugin continues to point to.
While reviewing yet another attempt at a security fix in the plugin made on November 1, we noticed that new vulnerable code was being added to the plugin. That involves a failure to implement basic security and the plugin appears to contain multiple other vulnerabilities because of the other instance of the failure to implement that. [Read more]
Recently the CEO of Wordfence, Mark Maunder, made this very strong claim about the quality of their (and to a lesser degree, competitor’s) data on vulnerabilities in WordPress plugins:
Our data is impeccable. Our competitors do a pretty darn good job too. [Read more]
Part of how we keep track of vulnerabilities in WordPress plugins is by monitoring the WordPress support forum for relevant topics. What we are seeing a lot these days are developers who are trying to deal with rather unclear claims of vulnerabilities in their plugins. Two weeks ago, we helped a developer to get an issue in their plugin addressed after another provider, Patchstack, as usual, was rather unhelpful. There are lessons for plugin developers and Patchstack. We don’t have much hope for Patchstack addressing the issues, since they are already long running and well known, but developers have a chance to pretty easily improve their handling of the security of their plugins.
Patchstack inaccurately claimed that the plugin Simple SEO contained a cross-site request forgery (CSRF) vulnerability. While that was part of the issue, the vulnerability was more serious than that, though not a serious vulnerability. Here is the information they provided on that: [Read more]
On Friday, the 100,000+ install WordPress plugin Optimize Database after Deleting Revisions was closed on the WordPress Plugin Directory without any explanation. The lack of explanation isn’t helpful for users of the plugin. A likely explanation of this is a mess related to a minor security vulnerability in the plugin. That vulnerability has been poorly handled by the Patchstack, which started things, as well as Wordfence and the developer of the plugin.
Users of the plugin have been left without clear information on what is going on with the vulnerability claim for months, which hopefully can clear up. [Read more]