Patchstack

20 May 2022

Not Really a WordPress Plugin Vulnerability, Week of May 20

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ Reflected Cross-Site Scripting in Smush

A couple of weeks ago Automattic’s WPScan claimed that the plugin Smush had contained an admin+ reflected cross-site scripting vulnerability that involves somehow getting an Administrator to upload a file to their website: [Read more]

11 May 2022

WordPress Plugin Developer Security Advisory: anadnet

One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing their plugins and others get them properly secured when alerted they haven’t done that, while other plugin developers either are unable or unwilling to properly secure their plugins. With the latter group, among the issues we have seen, are developers who have introduced new serious vulnerabilities that are substantially similar to vulnerabilities that they know have been exploited in their plugins.

In situations where we become aware of developers who have shown that inability or unwillingness to properly secure their plugin, we are releasing advisories to warn customers of our service and the wider WordPress community of the risk of utilizing those developers’ plugins. In addition to checking those posts on our website for information on those advisory, we provide access to the information in several other forms. That includes through the companion plugin for our service, even when not using the service, as well as through a web browser extension and through separate data accessible from our website. [Read more]

29 Apr 2022

Wordfence Doesn’t Appear to Understand the Security Implications of a Backup Plugin

A little over a month ago we noted that Automattic’s WPScan didn’t appear to understand the concept of a backup plugin, as they claimed that 4+ million install WordPress backup plugin, All-in-One WP Migration, contained a vulnerability that:

allows administrators to upload PHP files on their site [Read more]

26 Apr 2022

Automattic Appears to Have Falsely Claimed That Competing WordPress Security Plugin Contained Reflected XSS Vulnerability

The company closely associated with WordPress, Automattic, has the most popular WordPress security plugin by installs, Jetpack. It has 5+ millions installs according to wordpress.org. Recently another piece of Automattic, WPScan claimed a competing plugin, All In One WP Security, which has 1+ million installs had contained a reflected cross-site scripting (XSS) vulnerability (emphasis ours):

The plugin does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of this issue requires the Login Page URL value to be known, which should be hard to guess, reducing the risk [Read more]

15 Apr 2022

CVE, WPScan, and Patchstack Claimed That Possible Security Issue Was Addressed Five Months Before It Was

One of the changelog entries for version 4.5.9 of the WordPress plugin Download Monitor, which was released last week, is:

Fixed: Security issues regarding file downloads and download titles [Read more]

31 Mar 2022

A Month Later, WordPress Still Hasn’t Taken Action for Websites With Backdoored Plugin They Distributed

On Februrary 28, we publicly warned that the WordPress plugin Mistape had what appeared to have a backdoor added in its latest release. Part of the code would contact the developer’s website and let them know if the plugin was installed. Another part would allow anyone to gain access to an account on the website with the Administrator role. The response from WordPress was to close the plugin in their plugin directory:

[Read more]

24 Mar 2022

WPScan Issues Two CVE IDs for Same Vulnerability While Failing to Warn for 7 Months That It Was Unfixed

On August 9, 2021, a security update was released for the WordPress plugin Favicon by RealFaviconGenerator, which has 200,000+ installs. The changelog for that was:

Fix XSS security issue, reported by WPSpan.com. See https://wpscan.com/vulnerability/ed9d26be-cc96-4274-a05b-0b7ad9d8cfd9?fbclid=IwAR2aRMXRjbGm9ppoI9tM-OHm26Q0ax4yt0MkcP5sp0-pz9D4eVIEHQwvG1Y [Read more]

23 Mar 2022

The “Security Experts” at Automattic’s WPScan Don’t Appear to Understand The Implication of Being Able to Replace WordPress

One of the biggest problems we run into while compiling data on vulnerabilities in WordPress plugins these days is the amount of false reports out there. While there has been a problem with that for years, what makes it more problematic now is that “security experts” are spreading these false claims instead of knocking them down. One frequent source of that is WPScan, which is owned by the company closely connected with WordPress, Automattic. That entity is marketed with the claim that they are a “Dedicated team of WordPress security experts”, which doesn’t match up with we keep seeing.

One of the changelog entries for the latest version of the WordPress plugin WP Downgrade is: [Read more]

18 Mar 2022

Security Vulnerability Data Providers Didn’t Actually Check if WordPress Plugin Vulnerability Was Fixed

Two months ago, a review of the WordPress plugin Category Specific RSS feed Subscription was made with the title “Exploit?” with this information provided:

Lot’s of bots are looking for this file used with this plugin: [Read more]

Plugin Vulnerabilities Posted in Analysis Analysis, Category Specific RSS feed Subscription, JVN, Patchstack, WPScan Leave a comment

3 Jan 2022

Patchstack, cPanel, and Plesk Falsely Claimed Fixed Vulnerability in WordPress Plugin Hadn’t Been Fixed

Among the many problems caused by the WordPress security industry is plugin developers having to deal with false claims that plugins are vulnerable. An example of that involved not just a WordPress security player, but two major names in the web hosting industry that are relying on unreliable data for a security solution.

Last week a topic on the WordPress support forum started this way: [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Patchstack News