20 May

What Security Review? Another Brand New WordPress Plugin Contains Widely Exploited Freemius Library Vulnerability

A little less than a month ago we mentioned how a brand new WordPress plugin contained an authenticated option update vulnerability due to usage of an outdated version of the third-party Freemius library. That vulnerability has been widely exploited. Brand new WordPress plugins are supposed to go through a security review before being allowed in the Plugin Directory. So either those reviews are not happening or they are failing to catch things that should have been caught. We spotted that through our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities and that has again identified the same thing happening, with the new plugin this time being WP Dev Powers: ACF Color Coded Field Types.

We have long offered to provide the team running the Plugin Directory help to have a capability similar to that monitoring. Running the plugin through our Plugin Security Checker would have warned about that as well. We have long offered the team running the Plugin Directory free access to the advanced mode of that tool for free. We haven’t heard any interest from that team to either of those offers. And the results of what they are doing instead speaks for itself. [Read more]

25 Apr

What Security Review? Brand New WordPress Plugin Contains Widely Exploited Freemius Library Vulnerability

Brand new WordPress plugins are supposed to go through a security review before being allowed in the Plugin Directory. Either those reviews are not happening or they are failing to catch things that should have been caught. Take the plugin WP Buddha Free Adwords Plugin (Free Adwords Campaigner), which we came across due our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities flagging that it contained an authenticated option update vulnerability that was in older version of the Freemius library, which has been widely exploited.

Yesterday when we went to double check on that we found that the plugin didn’t actually work when installed, since the developer has placed most of the files in the wrong place in the Subversion repository for it. But when we pulled a copy of the files from the Subversion repository and moved them to the correct location we confirmed that the vulnerability is exploitable. That issue has now been fixed and the vulnerability remains in the plugin. [Read more]

08 Mar

Vulnerablity Details: Authenticated Information Disclosure in Freemius

This post provides the details of a vulnerability in the WordPress plugin not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

04 Mar

WPScan Vulnerability Database Fails to Credit Us, But Did Incorrectly Claim Plugin Had Been Fixed From Freemius Vulnerability

When it comes to information on security topics, whether security journalism or elsewhere, what we have found is that often incorrect information is provided that someone could have seen was incorrect if they could check the original source for it, but the original source isn’t listed. That would be the case with something from the WPScan Vulnerability Database’s entry created on Friday on the authenticated option update vulnerability in the Freemius library we discussed Tuesday:

[Read more]

04 Mar

Trying to Hide Vulnerabilities That Are Already Being Exploited Can Make It Harder to Protect Websites Against Them

Last week we had an odd interaction with the developer of the Freemius library where they wanted us take down a post about a fixed vulnerability in their library that seemed to us was already attempting to be exploited through WordPress plugins containing it. That seemed odd to us, since it was already being exploited, so pretty clearly we hadn’t disclosed the vulnerability as they were claiming was at issue with our having put out the post. We wondered if they missed the part about it looking like it was already being exploited (despite among other things it being the headline of our post) or did they assume we were wrong in thinking that? It turns out they already knew it was being attempted to be exploited before they even fixed it:

On Monday, Feb 25th, 2019, we received a support email from a helpful developer that stumbled across a GitHub issue on the WooCommerce repository. The issue was created by a representative of a small hosting company that noticed suspicious activity on their servers. The rep included the relevant activity logs that indicated two potential attacks, and one of them was targeting a plugin running the Freemius SDK. [Read more]

01 Mar

Our Plugin Security Checker Now Checks For Usage of Versions of Freemius with the Authenticated Option Update Vulnerability

To make it easy for those without a lot of technical skills to check if plugins are impacted by the authenticated option update that exist in older versions of the Freemius library we have updated our Plugin Security Checker so that when plugins that include a vulnerable version of that are checked there will be a warning about that.

While that would usually mean the vulnerability is exploitable through the plugin, we oddly found that in one of the 1,000 most popular plugins, Ultimate Social Media PLUS (Social Share Icons & Social Share Buttons), the library is included, but its usage has been disabled for 8 months. For some reason even with a serious vulnerability being found in the library, they haven’t removed the library from their plugin, but they did promptly update to the fixed version of Freemius. [Read more]

27 Feb

A Legal Threat and an Attempted Cover Up Of the Exploitation of the Freemius Authenticated Option Update Vulnerability

Yesterday we covered an authenticated option update vulnerability that looks like it was already being exploited in a third-party library, Freemius, which is included with many WordPress plugins. We had also reviewed the 1,000 most popular WordPress plugins to check if they used a vulnerable version of that library and notified the developers of impacted plugins. The response we have gotten from them and the developer of the library has been rather troubling.

Take this message we got from the developer of a security plugin of all things: [Read more]

26 Feb

Hackers Are Probably Already Exploiting This Authenticated Option Update Vulnerability Just Fixed in Freemius

On Sunday we had probing on our website for usage of the plugin WP Security Audit Log, which has 80,000+ installs according to wordpress.org, from what looked to be hackers. Considering that plugin is known to vulnerable we didn’t further check in to what was going on, which was a mistake, but one that other monitoring we do allowed us to rectify today.

As part of our daily monitoring of subversion log messages from the WordPress Plugin Directory for mentions of security fixes, we found that 10 plugins had mentions of security fixes yesterday, which is way out of line with what we normally see and hinted that there might be a common issue between the plugins. As we started trying to figure out what was going on, we noticed that many of them were updating a third-party library Freemius, which is described as  a”[m]onetization, analytics, and marketing automation platform”. In looking in to that we noticed that Freemius was citing WP Security Audit Log as using their library. With one of those plugins, looking at the changes made, we saw the possibility that a major vulnerability had been fixed. Further checking confirmed that an authenticated option update vulnerability was fixed, which would allow anyone with access to a WordPress account to take over a website and is a type of vulnerability hackers have tried to exploit widely in the past so there is likely to be plenty of attempts due to this. [Read more]