Login

Tag Archives: Jetpack

Plugin Security Scorecard Grade for Jetpack

Checked on November 24, 2024
F

See issues causing the plugin to get less than A+ grade

11 Aug 2021

Existing WordPress Security Plugins Fail to Protect Against PHP Object Injection Vulnerability

When we did testing several years back to see if WordPress security plugins could prevent the exploitation of vulnerabilities in other WordPress plugins, the results were not good. In one test, we found that only two plugins provided any protection, and that protection was easily bypassed. In another, we found only three provided any protection and only one of them had protection that couldn’t be easily bypassed. In another, we found no plugins provided protection despite one of them having supposed to have had protection and we later found that another one that was supposed to have later gained protection also didn’t provide protection.

Based on those results and later testing, what we saw was that there was a place for a firewall plugin as a piece of the security strategy for WordPress websites, but the existing options were not something we could recommend. We couldn’t recommend them not only due to the poor results, but because the developers of the plugins that provided the most protection were not being honest about what the plugins can and cannot accomplish (if you can’t trust a security company then you probably shouldn’t rely on them). That has led to us working on our own firewall plugin, which we plan on releasing soon. [Read more]

9 Aug 2021

Existing WordPress Security Plugins Fail to Provide Non-Bypassble Protection Against Easy to Stop WordPress Plugin Vulnerability

When we did testing several years back to see if WordPress security plugins could prevent the exploitation of vulnerabilities in other WordPress plugins, the results were not good. In one test, we found that only two plugins provided any protection, and that protection was easily bypassed. In another, we found only three provided any protection and only one of them had protection that couldn’t be easily bypassed. In another, we found no plugins provided protection despite one of them having supposed to have had protection and we later found that another one that was supposed to have later gained protection also didn’t provide protection.

Based on those results and later testing, what we saw was that there was a place for a firewall plugin as a piece of the security strategy for WordPress websites, but the existing options were not something we could recommend. We couldn’t recommend them not only due to the poor results, but because the developers of the plugins that provided the most protection were not being honest about what the plugins can and cannot accomplish (if you can’t trust a security company then you probably shouldn’t rely on them). That has led to us working on our own firewall plugin, which we plan on releasing soon. [Read more]

4 Aug 2021

There Are So Many Issues With Jetpack’s Post on Claim of a “Very Severe” Vulnerability in a WordPress Plugin

Often blog posts from companies offering security services read like an inadvertent warning that these companies are dishonest and lack a basic grasp of security, if you read by someone also in the field. That is the case with a recent post on the blog of Automattic’s Jetpack service, which both overstates the impact of a vulnerability, while also indicating that the author and the rest of their security team don’t have a basic grasp of the security issue involved here. Making that not all too surprising is that the author of the post is a former employee of an incredibly shady security company, Sucuri.

“Very Severe”

One of the problems we have long seen with security companies discussing vulnerabilities in WordPress plugins is that they overstate the impact of them. Jetpack’s post is titled “Severe Vulnerability Patched In WooCommerce Currency Switcher” and in the first sentence they claim that the vulnerability is a “very severe local file inclusion vulnerability”. Would you guess based on that, that the vulnerability is highly unlikely to be exploited and doesn’t have any impact on its own? We would guess not. [Read more]

21 Feb 2020

Not Really a WordPress Plugin Vulnerability, Week of February 21

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Remote File Upload in Contact Form 7

A claimed remote file upload vulnerability in the plugin in Contact Form 7 is good example of the fact that appearance of credible vulnerability report can be false. While the report has a proof of concept for the claimed issue, which would seem to indicate that the reporter had tested it out, they clearly didn’t. That proof of concept has a request sent directly to a file in the plugin /modules/file.php, but if you sent a request to that file it will cause a fatal error when the first line of code in the file runs: [Read more]

13 Jun 2017

Automattic Seems More Committed to Marketing Their Jetpack Service Than to a Safer WordPress Experience

For years WordPress has been knowingly leaving websites at risk of being hacked due to a refusal to warn when plugins are in use that known to be vulnerable and have been removed from the Plugin Directory due to that fact. Considering the damage that is caused by this and there not being any reasonable argument for not warning people, at times when removed plugins have been widely exploited we have started to wonder if this might not be due to gross negligence, but if there might be a more nefarious explanation.

The company closely associated with WordPress, Automattic, does have a several products marketed as security products, Jetpack and VaultPress, so allowing websites to be hacked to help those services could be an explanation, though we highly doubt it. That being said Automattic doesn’t seem to have the best interest of the public when it comes to security. For example, they have helped other security companies in pushing the false notion that there are many brute force attacks against WordPress admin logins, which takes the focus away from real security threats like unfixed vulnerable plugins. [Read more]