Login

Tag Archives: Freemius

27 Jul 2023

WordPress Security Providers Delaying Vulnerability Disclosures Doesn’t Stop Hackers From Figuring Them Out

This week we have been covering a mess that started with the developers of the Freemius library not properly handling a security issue we reported to them last year. Instead of addressing the issue at the time, they put out a post criticizing and lying about what had gone on. They wrote this about us warning about the vulnerabilities after they had released an incomplete fix (without giving us a chance to review the changes first):

Unlike last time, we didn’t even try to ask the reporter to remove the article as we’ve learned it’s a waste of time and our request can only backfire on us. Instead, we politely tried to understand the reasoning behind the unexpected disclosure to assess if/how we could avoid it in the future. [Read more]

27 Jul 2023

Really Simple SSL Plugin Is Falsely Claiming That WordPress Plugins Contain Vulnerabilities

The Really Simple SSL plugin became popular, with 5+ million installs, as a simple WordPress plugin and then the developer started bloating it with unrelated features. One of those was adding plugin vulnerability alerts. They recently explained doing that this way:

“We figured that with our reach we could impact security on the web as a whole, by adding features in order of impact on security,” Hulsebos said. “So vulnerabilities, after hardening features specific to WordPress, was next. [Read more]

26 Jul 2023

WP Engine Sending Out Emails Falsely Claiming Popular WordPress Plugins Contain Unfixed Vulnerabilities

Earlier today, we covered how Patchstack and their partners have been falsely claiming that WordPress plugins contain vulnerabilities caused by usage of an outdated version of the Freemius library. They have been joined in that by WP Engine and Automattic owned WPScan.

Here is an example of that email sent out for the 100,000+ install plugin Pods: [Read more]

26 Jul 2023

StellarWP Hasn’t Fixed Vulnerable Plugin Their Own Security Plugin Has Warned About Since Last Week

Earlier today, we looked at a mess created by the developer of a popular library in WordPress plugins, Freemius, and WordPress security provider, Patchstack. Another company playing a supporting role in what was discussed is StellarWP (which is part of Liquid Web). On their homepage, StellarWP makes this strong claim:

The most trusted plugins and people in WordPress. [Read more]

26 Jul 2023

Patchstack Causes Developer of 600,000+ Install WordPress Plugin to Release Phantom Security Update

In February of last year, we tried to work with the developer of the Freemius library, which is widely used in WordPress plugins, to address a number of security issues that came up during a security review of a plugin using it. Instead of them working with us, they incompletely addressed the issues on their own. We told them that the fix was incomplete, but they didn’t address things. Earlier this month they were claiming in a blog post that we did “not cooperate” with them in that situation, despite linking to a post about the previous situation where they stated they went “into a ‘silent mode’ and ke[pt] interactions to a minimum”. Also earlier this month, they finally addressed an issue we had warned them about at the time. That has led to a mess for developers and users of plugins using the library (and some not even using it). That mess includes the developer of a plugin with 600,000+ installs to have to release a phantom security update to stop Patchstack from falsely claiming the plugin was still vulnerable.

While Patchstack has caused problems for various developers in this situation (and many others), Freemius is claiming that it is “a security company that truly cares about website security and works with you in full cooperation and coordination”. [Read more]

25 Feb 2022

Our Security Review of WordPress Plugin Found Freemius Library Still Contained Vulnerabilities 3 Years After Major Security Incident

Three years ago, the Freemius library, which is a monetization library widely used in WordPress plugins, fixed a serious vulnerability only after a hacker had identified it and started exploiting it. The situation surrounding that was quite a mess. It would be reasonable to think that the developer of the library and the developer of the plugins, especially security plugins, using the library would have made sure to get the security of the library reviewed after that to address any other security issues, but that turns out not to be the case.

What makes that more striking is that the developer claimed after that went down that: [Read more]

20 May 2019

What Security Review? Another Brand New WordPress Plugin Contains Widely Exploited Freemius Library Vulnerability

A little less than a month ago we mentioned how a brand new WordPress plugin contained an authenticated option update vulnerability due to usage of an outdated version of the third-party Freemius library. That vulnerability has been widely exploited. Brand new WordPress plugins are supposed to go through a security review before being allowed in the Plugin Directory. So either those reviews are not happening or they are failing to catch things that should have been caught. We spotted that through our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities and that has again identified the same thing happening, with the new plugin this time being WP Dev Powers: ACF Color Coded Field Types.

We have long offered to provide the team running the Plugin Directory help to have a capability similar to that monitoring. Running the plugin through our Plugin Security Checker would have warned about that as well. We have long offered the team running the Plugin Directory free access to the advanced mode of that tool for free. We haven’t heard any interest from that team to either of those offers. And the results of what they are doing instead speaks for itself. [Read more]

25 Apr 2019

What Security Review? Brand New WordPress Plugin Contains Widely Exploited Freemius Library Vulnerability

Brand new WordPress plugins are supposed to go through a security review before being allowed in the Plugin Directory. Either those reviews are not happening or they are failing to catch things that should have been caught. Take the plugin WP Buddha Free Adwords Plugin (Free Adwords Campaigner), which we came across due our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities flagging that it contained an authenticated option update vulnerability that was in older version of the Freemius library, which has been widely exploited.

Yesterday when we went to double check on that we found that the plugin didn’t actually work when installed, since the developer has placed most of the files in the wrong place in the Subversion repository for it. But when we pulled a copy of the files from the Subversion repository and moved them to the correct location we confirmed that the vulnerability is exploitable. That issue has now been fixed and the vulnerability remains in the plugin. [Read more]

8 Mar 2019

Vulnerablity Details: Authenticated Information Disclosure in Freemius

Last Tuesday we discussed an authenticated option update vulnerability that had been fixed in the Freemius library, which is used in many WordPress plugins and that hackers had been targeting. At the same time that vulnerability had been fixed in the library another related vulnerability had also been fixed. The other vulnerability was an authenticated information disclosure vulnerability that would allow anyone logged in to WordPress to view the value of arbitrary WordPress options (settings).

[Read more]

4 Mar 2019

WPScan Vulnerability Database Fails to Credit Us, But Did Incorrectly Claim Plugin Had Been Fixed From Freemius Vulnerability

When it comes to information on security topics, whether security journalism or elsewhere, what we have found is that often incorrect information is provided that someone could have seen was incorrect if they could check the original source for it, but the original source isn’t listed. That would be the case with something from the WPScan Vulnerability Database’s entry created on Friday on the authenticated option update vulnerability in the Freemius library we discussed Tuesday:

[Read more]