A couple of weeks ago, the Bleeping Computer ran a story claiming that over 150,000 websites were vulnerable due to a vulnerability that had been in a WordPress plugin. That count was based in part in believing that all previous versions of the plugin were vulnerable:
The issue impacts all versions of the plugin up to 2.8.7 [Read more]
In May of last year, the 5+ million install WordPress plugin Really Simple SSL added a feature for detection of known vulnerabilities in WordPress plugins. That seems to be unrelated to what is supposed to be the focus on the plugin. A WP Tavern story about that provided an explanation from the developer on why that should be in this plugin:
“We figured that with our reach we could impact security on the web as a whole, by adding features in order of impact on security,” Hulsebos said. “So vulnerabilities, after hardening features specific to WordPress, was next. [Read more]
Late last week, Wordfence created a mess by claiming there was an unfixed vulnerability in WooCommerce. What that situation showed is they are not doing the work that people clearly believe they are doing. That includes not checking if vulnerabilities have actually been fixed or if they even existed, before widely making claims about supposed vulnerabilities. We will get in to more detail about that in a few moments, but first we will take a look at a couple of other recent examples, which show that wasn’t a one-off fluke.
We should note at the outset that the CEO of Wordfence, Mark Maunder, recently claimed their “data is impeccable” when we brought up the well-known problems with it. [Read more]
Yesterday, an update was released for the 5+ million install WordPress plugin Elementor that has a changelog suggesting a security issue was addressed, “Fix: Improved code security enforcement in File Upload mechanism.” While looking into this, we found that Elementor appears to have multiple issues. We found the plugin did have an arbitrary file upload vulnerability, which you could argue is now fixed or not. Based on what we know now, we would say it is fixed, but there is still insecurity that remains, but there may be something we are missing. (Update 12/8: Elementor has released a second fix to address the remaining insecurity.) As we have been saying since April, we would recommend not using plugins from Elementor based on repeated incidents of poor security handling.
It appears based on that changelog, the WordPress security provider Wordfence claimed there was a fixed or unfixed authenticated (Contributor+) arbitrary file upload to remote code execution via template import vulnerability in the plugin, which they described this way: [Read more]
Recently there have been conversations popping up over a claim made by the WordPress security provider Wordfence that claims the Gutenberg plugin contains an authenticated persistent cross-site scripting (XSS) vulnerability. On Reddit there were a couple of recent conversations, where unsurprisingly, there wasn’t helpful information being provided. Things have been slightly better on the WordPress support forum for the plugin, but still you had alarmist information. One topic is titled, “Security breach and vulnerability in all versions.” Wordfence in turn, is citing Patchstack when making this claim. The reality is that there isn’t a vulnerability, something the WordPress security team told the original source of the claim, but which Wordfence and Patchstack have ignored.
While Wordfence and Patchstack are both claiming that this is an issue with the Gutenberg plugin, that isn’t what the original source they are citing says. Their post is titled
“CVE-2022-33994:- Stored XSS in WordPress” and they start it this way: [Read more]
In September, we wrote about how the WordPress plugin POST SMTP, which has 300,000+ installs, still contained SQL injection issues months after a public claim of a vulnerability involving that (and still does today). We also noted that the plugin was part of one of our competitors, Patchstack, Vulnerability Disclosure Program (VDP). The program doesn’t really make sense, as we noted at the time, because you are contacting a third-party security provider instead of the developer of software who can actually address vulnerabilities. It also wasn’t possible through that program to report security issues that are not vulnerabilities, despite the need for developer to address them. If a plugin developer is part of that program, it would suggest they lack an interest in properly securing their plugins, which the security of this plugin continues to point to.
While reviewing yet another attempt at a security fix in the plugin made on November 1, we noticed that new vulnerable code was being added to the plugin. That involves a failure to implement basic security and the plugin appears to contain multiple other vulnerabilities because of the other instance of the failure to implement that. [Read more]
When it comes to protecting WordPress websites from vulnerabilities in WordPress plugins, one piece of the solution involves being warned if you are using plugins with known vulnerabilities. Doing that well requires doing a lot of work. That is something that two providers, Patchstack and Wordfence, claim to do. Patchstack markets their data this way:
Hand curated, verified and enriched vulnerability information by Patchstack security experts. [Read more]
There are many sources for data on WordPress plugin vulnerabilities. Or there appears to be. In reality, most sources are simply copying their data from the others. The results of that are often quite poor, which the providers simply deny. Recently the CEO of Wordfence, Mark Maunder, made this very strong claim about the quality of their (and to a lesser degree, competitor’s) data on vulnerabilities in WordPress plugins:
Our data is impeccable. Our competitors do a pretty darn good job too. [Read more]
One of the ways we keep track of possible vulnerabilities in WordPress plugins is to monitor the WordPress Support Forum for discussions related to those. Today, there was a concerning claim of a high risk vulnerability in a plugin that is used by at least one of our customers, as well aa 300,000+ websites, Widgets for Google Reviews. Another user of the plugin was claiming that it contained a “high risk vulnerability as it allows the upload of backdoors”. They also said this was an arbitrary file upload vulnerability. They were not the original source for the claim, instead, it was Patchstack.
Patchstack’s own claims were similar. They, for example, wrote that the claimed vulnerability would “allow a malicious actor to upload any type of file to your website”. It’s only if you click a button labeled “Show technical details” that they bothered to mention a critical detail. The attacker, they say, would need to have the WordPress Editor role or above to exploit this. [Read more]