05 Feb

WordPress Team Helping to Introduce Remote Code Execution (RCE) Vulnerability on to Thousands of Websites

When do a lot to improve the security of WordPress websites through the work we do on the security of WordPress plugins for our service (in all likelihood we do more than all the other security companies with a WordPress focus combined). Unfortunately what we have found is that people on the WordPress side of things seem more interested in covering up problems related to the security of plugins (and promoting security companies that are making WordPress websites less secure) than actually working with others, like us, to improve them.

In response to part of that problematic behavior, we started full disclosing vulnerabilities in WordPress plugins until such time that the moderators on the WordPress Support Forum stopped acting inappropriately. Through that on January 11 we full disclosed a remote code execution (RCE) vulnerability that has been introduced in to the plugin MailPress, which was closed on the Plugin Directory at the time. We spotted that vulnerability through our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins. As part of our full disclosure process we tried to notify the developer of the issue through the WordPress Support Forum, but that message got deleted by the moderators. You might think that while deleting that they would at least make sure that something was done about the vulnerability, but as we already said, they and others on the WordPress side of things are more interested in covering up problems than fixing them. [Read more]

11 Jan

Our Proactive Monitoring Caught a Remote Code Execution (RCE) Vulnerability in an Unreleased Version of MailPress

In a reminder of the negative impact of WordPress intentionally leaving those using vulnerable plugins unaware of it, there are still 3,000+ active installs, according to wordpress.org, of the plugin MailPress. Back in July of 2016 we noted that it appeared that hackers were targeting it, while disclosing a vulnerability we had found in it after noticing the apparent hacker interest. At the time the plugin had already been removed from the Plugin Directory and remains so today. The hacker interest has continued as well, as multiple times in the last week we have seen probing for usage of the plugin on our website.

In the meantime the developer has at various times submitted changes to the plugin and one of the recent changes was flagged by our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins. Maybe not surprisingly considering that the plugin appears to have had a vulnerability that was serious enough that hackers would be interested in exploiting it and that the developer has yet to get the issue resolved that lead to the plugin being removed, it turns out that versions of the plugin that have not been released contain a remote code execution vulnerability. [Read more]

14 Jul

Capabilities Change Vulnerability in MailPress

As detailed in other post about a vulnerability in the MailPress plugin, we recently had a request for a file from that plugin on this website, which since we are not using the plugin, is usually an indication that someone is probing for usage of a plugin before exploiting something in it. While we could not find a vulnerability that we think would be the one that a hacker would be trying to exploit, we did find a local file inclusion vulnerability that is serious and exploitable in the plugin’s default state. We also found a capabilities change vulnerability that is exploitable in the plugin when one of the the plugin’s built-in addons, Roles_and_capabilities, is enabled. That vulnerability would be very serious if non trusted users had accounts on the website .

As mentioned in greater detail in the other post, through the file /mp-includes/action.php it is possible for anyone to make requests to functions that have names that start “mp_action_”. One such action is mp_action_r_and_c(), located in the file /mp-content/add-ons/MailPress_roles_and_capabilities.php. The function has no security checks in place as you can see below, so anyone can add or remove capabilities to WordPress roles if the addon is enabled: [Read more]

14 Jul

Local File Inclusion (LFI) Vulnerability in MailPress

One of the things we do to protect our customers from vulnerabilities in WordPress plugins is to monitor our websites for activity indicating that someone is looking to exploit a vulnerability in a plugin. That recently has been allowing us to detect quite a few serious vulnerabilities that it looks like no one else is spotting, so our service is the only one that actual provides you any warning and therefore any protection against them until they are fixed.

Usually by just knowing that a plugin appears to be of interest to hackers we are able to identify a vulnerability that hackers would actually exploit and is likely the vulnerability that they are attempting to exploit. In the latest case we were not able to figure out what that might be due largely to the fact the plugin is so insecure it is hard to narrow down where we might need to look to figure out what it is they are targeting. We did find one vulnerability that is very serious and could be targeted with the plugin in its default state, but it is not a type of vulnerability that is often exploited, so if the plugin is being targeted by hackers there is likely something else out there as well. [Read more]