Login

Patchstack News

11 Sep 2024

WordPress Continues to Fail to Properly Address Malicious Code Loaded on Thousands of Websites

In December 2022, an update was released for the WordPress plugin Bulk Delete Comments, which caused a JavaScript file with malicious code from a website to be loaded on to the admin area of websites using the plugin. That was immediately noticed by users of the plugin. The plugin was subsequently closed on the WordPress Plugin Directory. The plugin was recently reopened without the issue being properly resolved. The situation highlights multiple known problems that are not being addressed by WordPress.

The update that introduced the issue was version 1.4, and that is still the version available now: [Read more]

7 Aug 2024

Hacker Tried to Exploit Our Website Based on Fake Vulnerability Claim From Patchstack

One differentiation between our WordPress firewall plugin and other firewall plugins is that we try to provide users with a good understanding of the risk posed by attacks, instead of scaring people unnecessarily. That issue with lack of respect for users from other providers extends to other areas, particularly with false claims that other WordPress plugins contain vulnerabilities. Those two issues came together recently, when we were checking on a hacker’s attempt to exploit a vulnerability on our own website.

In August of last year, Patchstack claimed that there had been a vulnerability in the WordPress plugin Stock Ticker. They claimed it was “moderately dangerous” and “expected to become exploited:” [Read more]

13 May 2024

Numerous Security Providers Fail to Catch That WP Engine Didn’t Fix Vulnerability in 100,000+ Install WordPress Plugin

When it comes to the very common occurrence of vulnerabilities in WordPress plugins failing to really be fixed, many providers are often involved in that failure. That is the case with a recently disclosed vulnerability in the 100,000+ install plugin Genesis Blocks.

That plugin comes from WP Engine, which markets itself as having a dedicated security team, though, one that keeps “your website vulnerabilities up to date” instead of fixing them: [Read more]

29 Apr 2024

Automattic’s WPScan Falsely Claims That WordPress Plugin Contained Serious Vulnerability

While reviewing a recent hacker attempt to try to exploit a vulnerability in a WordPress plugin, which was stopped by our own firewall plugin, we found that Automattic’s WPScan had falsely claimed that a WordPress plugin contained a serious vulnerability.

Here was the logging for when the attempt that was stopped: [Read more]

13 Feb 2024

Hacker Likely Targeting This Incompletely Fixed Authenticated Plugin Installation Vulnerability in WordPress Plugin NextMove Lite

Today we saw a hacker probing for usage of the WordPress plugin NextMove Lite on our websites with the following request:

/wp-content/plugins/woo-thank-you-page-nextmove-lite/assets/css/xlwcty-public-rest.css [Read more]

9 Feb 2024

How Our Customers Helped Make WordPress Plugins More Secure, Week of February 9

Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better understand what is going on and how signing up for our service can help to expand that work.

Vulnerability in WordPress Hosting Benchmark tool Partially Fixed

Last week, we reached out to the developer of the WordPress plugin WordPress Hosting Benchmark tool to let them know that an attempt to fix a vulnerability in their plugin had failed and that the vulnerability was more severe than they claimed. The miss-identification of the issue looks to be caused in part by a competitor of ours, Patchstack, not properly reviewing a claim they received of a vulnerability in the plugin (which is a common occurrence). We looked in to that because at least one of our customers was using the plugin. [Read more]

8 Feb 2024

Hacker Targeted WordPress Backup Plugin Didn’t Actually Get Fix for Log File Disclosure

Two days ago, we discussed one vulnerability that was recently fixed in the WordPress backup plugin FastDup, while looking into why a hacker might be targeting the plugin. There was another vulnerability that was supposed to have been fixed. Patchstack claimed that there had been a sensitive data exposure via log file vulnerability in the plugin. As usual, they didn’t provide the information needed to check if the vulnerability was real and if it was real, it had been fixed. It appears either they got some basic details wrong about the vulnerability and it wasn’t fixed or what they were claiming was a vulnerability wasn’t a vulnerability, but there was a similar vulnerability really in the plugin. Confused? So are we. So let’s go through what we found.

The vulnerability was supposed to be fixed in version 2.1.8 of the plugin. The change made in that version was to modify an additional value added to filenames of files created by the plugin from the current time using the PHP function time() to a randomly generated value. That would make it harder to guess the names of files, but with either one, it isn’t something that would be easy to guess, unless you knew when a backup was made. The files should be blocked from being accessed directly, so the name shouldn’t even matter. [Read more]

5 Feb 2024

WordPress Security Providers Falsely Claimed Cloudflare’s Plugin Contained Vulnerability

It would be rather notable if the 200,000+ install WordPress plugin from the security provider Cloudflare contained a vulnerability. And that was just the claim made recently by a couple of WordPress security providers. Here was one of them, Patchstack, describing the claimed vulnerability:

An unknown person discovered and reported this Sensitive Data Exposure vulnerability in WordPress CloudFlare Plugin. This vulnerability has been fixed in version 4.12.3. [Read more]

26 Jan 2024

Wordfence is Claiming It Is a Critical Vulnerability for WordPress Administrators to Upload Arbitrary Files

Recently someone left a message on the support forum of the WordPress plugin WP Child Theme Generator writing about their concern about continuing to use the plugin based on Wordfence claiming it contains a “critical vulnerability:”

This critical vulnerability has me worried. It keeps coming up in my Wordfence scans. I’m thinking about deactivating and deleting this plugin for now (at least until it’s patched). [Read more]

25 Jan 2024

Trying to Decipher a Vulnerability Claim for a WordPress Plugin

Patchstack claims there had been an authenticated remote code execution (RCE) vulnerability in the WordPress plugin Dynamic Content for Elementor, which at least one of our customers started using recently. Trying to figure out what is going on there showed the difficultly of trying to vet vulnerability claims in WordPress plugins.

In trying to figure out what was going on, we tried visiting the two links included in Patchstack’s information. Both the links are broken. Looking at an archived copy of one of them, a changelog for the plugin, it doesn’t make any mention of a security fix in the version Patchstack claims fixes this. Here is what is listed for that version: [Read more]