Recently the CEO of Wordfence, Mark Maunder, made this very strong claim about the quality of their (and to a lesser degree, competitor’s) data on vulnerabilities in WordPress plugins:
Our data is impeccable. Our competitors do a pretty darn good job too. [Read more]
Part of how we keep track of vulnerabilities in WordPress plugins is by monitoring the WordPress support forum for relevant topics. What we are seeing a lot these days are developers who are trying to deal with rather unclear claims of vulnerabilities in their plugins. Two weeks ago, we helped a developer to get an issue in their plugin addressed after another provider, Patchstack, as usual, was rather unhelpful. There are lessons for plugin developers and Patchstack. We don’t have much hope for Patchstack addressing the issues, since they are already long running and well known, but developers have a chance to pretty easily improve their handling of the security of their plugins.
Patchstack inaccurately claimed that the plugin Simple SEO contained a cross-site request forgery (CSRF) vulnerability. While that was part of the issue, the vulnerability was more serious than that, though not a serious vulnerability. Here is the information they provided on that: [Read more]
We have been seeing a reoccurring issue recently where WordPress plugin developers are having users of the plugins being asked if they are going to fix vulnerabilities that a WordPress security,Patchstack, has claimed are in their plugins. The developers are responding, accurately, that Patchstack hasn’t provided any details on what the issue is supposed to be. That obviously makes it difficult to address things if there really is a vulnerability, or to otherwise refute the claim. A recent instance of that involved a claim of a reflected cross-site (XSS) in the plugin WP Bannerize Pro.
Here are the “details” Patchstack provided: [Read more]
On Friday, a news outlet that Google News includes, despite repeatedly running false stories about vulnerabilities in WordPress plugins, was at it again. Roger Montti writing for the Search Engine Journal, made this claim:
The popular Fluent Forms Contact Form Builder plugin for WordPress, with over 300,000 installations, was discovered to contain a SQL Injection vulnerability that could allow database access to hackers. [Read more]
On Saturday, a hacker was widely probing for usage of the WordPress plugin Thumbnail Slider With Lightbox. That was somewhat odd, as the plugin only has 1,000+ installs according to WordPress and in our data set of claimed vulnerabilities in the plugin, there were only claims of really minor vulnerabilities. So what explained their interest?
One thing that is abundantly clear based on monitoring we do is that hackers are focusing a lot on trying to exploit vulnerabilities highlighted by data providers we compete with. There is a sometimes uncomfortable relationship between these providers and hackers. For example, one of them is willing to sell information to hackers about vulnerabilities before they notify developers. [Read more]
The Automattic owned WPScan recently claimed a serious persistent cross-site scripting (XSS) vulnerability had been in a WordPress plugin and had been fixed. Their report lacked the kind of information that would be needed to easily recheck things. What was included didn’t seem promising. For example, they misspelled the word unauthenticated as “Unauthitncated”, which a spellchecker would have caught. Checking over things, we found the vulnerability did exist, but was incompletely fixed and is still exploitable. WPScan claims to have a “dedicated team of WordPress security experts”, so either there is widespread misunderstanding of a basic element of securing a WordPress plugin or they don’t really have that team. Assuming the former, let’s look at what they and the developer got wrong involving usage a WordPress security function sanitize_text_field().
(Two other providers, Patchstack and Wordfence, who also claim to have experts generating their data, are also claiming this has been fixed despite the incomplete fix.) [Read more]
On Friday, the 100,000+ install WordPress plugin Optimize Database after Deleting Revisions was closed on the WordPress Plugin Directory without any explanation. The lack of explanation isn’t helpful for users of the plugin. A likely explanation of this is a mess related to a minor security vulnerability in the plugin. That vulnerability has been poorly handled by the Patchstack, which started things, as well as Wordfence and the developer of the plugin.
Users of the plugin have been left without clear information on what is going on with the vulnerability claim for months, which hopefully can clear up. [Read more]
On Saturday we had what appeared to be a hacker probing for usage of the WordPress plugin WP Job Portal on our website. That plugin is available in the WordPress Plugin Directory and has 3,000+ active installations according to WordPress’ data. An explanation for that hacker targeting could be that WPScan was claiming that there is an unfixed SQL injection vulnerability in the plugin.
As of Saturday, the only information WPScan provided was this vague description of the issue “The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users”. Without more information it would be difficult for anyone else to confirm their claim. They also stated that a proof of concept for the vulnerability would “be displayed on September 26, 2023, to give users the time to update.” Considering they were also claiming that this wasn’t fixed, there wouldn’t be any update to apply. So something seems amiss there. [Read more]
Over the weekend, we saw one of the usual hackers probing for usage of WordPress plugins, probing for usage a plugin named Export Import Menus. That plugin was closed on the WordPress Plugin Directory on September 12, with no explanation for the closure. Before it was closed, WordPress listed it as having 10,000+ active installs. Upon seeing that, what we needed to figure out is what a hacker might be interested in exploiting in that and is that an already known issue. These days, hackers often target vulnerabilities being disclosed by other plugin vulnerability data providers. There was a recently disclosed vulnerability in the plugin, but one that wouldn’t be of much interest to hackers. With further checking, we found the vulnerability is actually much more serious than was claimed by other providers and would likely be a target for hackers.
If the team running the WordPress Plugin Directory had known about the severity of the vulnerability, they could and should have pushed out a fix for the vulnerability before a hacker started targeting the plugin. They also could have forced out an update to address it. Fixing it enough to prevent exploitation would have been very easy. It only takes two lines, which we show below. With the inaccurate information provided by other providers, though they wouldn’t know that this was a serious issue. [Read more]
Often when we review claims about vulnerabilities in WordPress plugins, we find that the issues have only been partially addressed. That is the case with a vulnerability in the plugin POST SMTP, which has 300,000+ installs. The plugin vulnerability data provider WPScan released a rather vague report about a vulnerability in that in June. It lacks a lot of information, like what the vulnerable code is or how it was fixed. It does contain this note:
Note: The AJAX actions are also affected by SQL injections, making the issue easier to exploit by being able to choose which email to resend, for example the latest email related to a password reset [Read more]