When do a lot to improve the security of WordPress websites through the work we do on the security of WordPress plugins for our service (in all likelihood we do more than all the other security companies with a WordPress focus combined). Unfortunately what we have found is that people on the WordPress side of things seem more interested in covering up problems related to the security of plugins (and promoting security companies that are making WordPress websites less secure) than actually working with others, like us, to improve them.
In a reminder of the negative impact of WordPress intentionally leaving those using vulnerable plugins unaware of it, there are still 3,000+ active installs, according to wordpress.org, of the plugin MailPress. Back in July of 2016 we noted that it appeared that hackers were targeting it, while disclosing a vulnerability we had found in it after noticing the apparent hacker interest. At the time the plugin had already been removed from the Plugin Directory and remains so today. The hacker interest has continued as well, as multiple times in the last week we have seen probing for usage of the plugin on our website.
As detailed in other post about a vulnerability in the MailPress plugin, we recently had a request for a file from that plugin on this website, which since we are not using the plugin, is usually an indication that someone is probing for usage of a plugin before exploiting something in it. While we could not find a vulnerability that we think would be the one that a hacker would be trying to exploit, we did find a local file inclusion vulnerability that is serious and exploitable in the plugin’s default state. We also found a capabilities change vulnerability that is exploitable in the plugin when one of the the plugin’s built-in addons, Roles_and_capabilities, is enabled. That vulnerability would be very serious if non trusted users had accounts on the website .
One of the things we do to protect our customers from vulnerabilities in WordPress plugins is to monitor our websites for activity indicating that someone is looking to exploit a vulnerability in a plugin. That recently has been allowing us to detect quite a few serious vulnerabilities that it looks like no one else is spotting, so our service is the only one that actual provides you any warning and therefore any protection against them until they are fixed.