Login

Patchstack News

28 Apr 2023

Not Really a WordPress Plugin Vulnerability, Week of April 28

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Authenticated (Administrator+) SQL Injection via ‘replace_urls’ in Elementor

Yesterday, we issued an advisory warning about using plugins developed by Elementor, in part based on a security issue we found still is in the plugin. We found that while reviewing a security change being made in the latest version of the plugin. Wordfence claimed that the change fixed a vulnerability: [Read more]

24 Apr 2023

iThemes (SolidWP) and Patchstack Requiring Their Customers and Plugin Developers to Fix Their Inaccurate Data

Recently, iThemes (which is being rebranded as SolidWP) and their partner, Patchstack, have been incorrectly labeling that a 100,000+ install WordPress plugin, Download Manager, contained an unfixed vulnerability. The problem stems in part to confusion with a claim that vulnerability had been in Download Manager Pro and also from Patchstack’s data not properly listing which versions of a plugin are vulnerable (this isn’t the first time recently there has been this combinations of problems). Incredibly, once this was brought to iThemes attention by one of their customers, their response was not for them to fix this, but to tell the customer that the plugin developer had to get in touch with Patchstack to address this:

Since the one you’re using is the free version (3.2.70), but it is still being flagged as vulnerable by the Site Scanner, I recommend reaching out to the plugin developers for the possibility of updating the reflected information on Patchstack. [Read more]

20 Apr 2023

Hacker Targeting Unfixed WordPress Plugin Vulnerability That CVE and Others Claim Has Been Fixed

For some time, we have been seeing a hacker probing for the usage of various WordPress plugins with known vulnerabilities across numerous websites. Earlier this month, we noted that the hacker was targeting a plugin that had an unfixed known vulnerability and that the plugin had remained in the WordPress Plugin Directory despite that. That isn’t a one-off issue. Today we saw the same hacker probing for usage of the ReviewX plugin, which is still in the plugin directory. That isn’t a surprise, as the plugin has recently had an authenticated SQL injection vulnerability disclosed. More problematically, as we warned about two weeks ago, it was incorrectly claimed to have been fixed.

In our previous post, we noted that the incorrect claim that this had been fixed had been included in the CVE system, which is funded by the US government. CVE is a system that is treated as a reliable and notable source of information on vulnerabilities, for reasons we can’t understand. In reality, they allow just about anyone to add data to the system and there isn’t a functioning system to make sure it is accurate. With this vulnerability, we reported that the information was incorrect to the company that put the information into the CVE system, but it hasn’t been corrected. Here is the current state of the entry, still claiming that this affected versions before 1.6.4: [Read more]

19 Apr 2023

WP Engine Didn’t Disclose They Were Fixing Vulnerability in 200,000+ Install WordPress Plugin

Recently, the WordPress security provider Patchstack claimed that a cross-site request forgery (CSRF) vulnerability had been fixed in the 200,000+ install WordPress plugin PHP Compatibility Checker. Patchstack has a track record of providing inaccurate information on vulnerabilities in WordPress plugins, so you can’t take them at their word that there really was a vulnerability or that it has been fixed. Unfortunately, they also don’t provide basic information to double check their claims. In this case, they provide this description of what CSRF as the “details” of the vulnerability:

 Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress PHP Compatibility Checker Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 1.6.0. [Read more]

10 Apr 2023

Wordfence’s Idea of Responsible Disclosure Involves Leaving Very Vulnerable Plugins in WordPress Plugin Directory

A week ago, we wrote about how a WordPress plugin being targeted by a hacker had remained in the WordPress Plugin Directory despite having an unfixed vulnerability that hackers would target. We had noted that the WordPress security provider Wordfence had known about the vulnerability, but hadn’t made sure the plugin was removed. While checking into a claimed vulnerability to add it to our data set, we found another instance of that, which is more troubling.

In February, a Wordfence employee named Chloe Chamberland wrote a strange post on Wordfence’s blog that claimed in the headline, “the WordPress ecosystem is becoming more secure with responsible disclosure becoming More Common”. It is strange because the body of the post never mentions the phrase responsible disclosure or makes any mention of it. Instead, the author seems to be trying to suggest that doing something other than responsible disclosure is responsible disclosure. Responsible disclosure involves notifying a developer of a vulnerability and giving them a chance to resolve it, before notifying anyone else. The post is actually suggesting directing reporting of vulnerabilities in WordPress plugins away from the developers and WordPress: [Read more]

3 Apr 2023

WordPress Plugin With Unfixed Vulnerability Targeted by Hacker Remains in Plugin Directory

For some time, we have been seeing a hacker probing for the usage of various WordPress plugins with known vulnerabilities across numerous websites. Many of those vulnerabilities have been SQL injection vulnerabilities. Over the weekend we saw them looking for usage of the WordPress plugin Gift Voucher. That isn’t surprising considering that there is an unfixed SQL injection vulnerability that was publicly disclosed by Tenable on March 22. What is surprising is that the plugin is still available in the WordPress Plugin Directory as of now:

[Read more]

16 Mar 2023

Our Firewall Plugin Caught That Jetpack’s “Internal Audit” of Slimstat Analytics Missed That Vulnerability Still Exists

Recently Automattic’s Jetpack claimed to have done an “internal audit” of the WordPress plugin Slimstat Analytics and found an authenticated SQL injection vulnerability that was subsequently fixed. We don’t know what an internal audit is supposed to be, but they failed to fully test or check over the vulnerable code and the authenticated SQL injection vulnerability still exists (which isn’t that surprising, considering the discoverer is a former employee of Sucuri). They also missed another security issue in the relevant code, which helped lead to the vulnerability still existing. Interestingly, an in development feature of our firewall plugin caught that the issue hadn’t been fully resolved.

Another Automattic unit, WPScan, also missed that this wasn’t fully resolved: [Read more]

15 Mar 2023

Patchstack is Falsely Claiming a “High Severity” Vulnerability Exists in a WP Plugin Based on Inaccurately Copied Info From Wordfence

Providing accurate information on vulnerabilities in WordPress plugins can require a lot of work, but doing the work avoids causing false alarms for users of plugins and for the developers of them. Unfortunately, security companies can cut corners, claim to do things they don’t, and still get treated as if their information is reliable. Patchstack is a prime example of that, they run with wildly inaccurate information, as we will get to the latest example of in a second, but get promoted in the WordPress space, by the likes of the WP Tavern (which refused to run a reply refuting information in the linked post).

One of the things we do to keep track of vulnerabilities in WordPress plugins for our customers is monitoring for relevant topics on the WordPress Support Forum. That sometimes leads to us finding that hackers are exploiting an unfixed vulnerability, and it often leads to us seeing how much inaccurate information is being spread by other providers. [Read more]

13 Mar 2023

Only 25% of WordPress Security Plugins Protected Against Widely Exploited Plugin Vulnerability

In late January, an unfixed vulnerability in a WordPress plugin with 40,000+ installs started to receive widespread exploitation attempts and many websites were hacked. The hacking was in part caused by multiple WordPress security providers, including Wordfence, WPScan, and Patchstack, who all claim to have teams of experts reviewing vulnerabilities in WordPress plugins, claiming that the vulnerability had been fixed three months before that. The moderators of the WordPress Support Forum made the situation worse by deleting an early indication of the problem in the form a message complaining about a website being hacked because of the plugin.

The developer of the plugin promptly fixed the vulnerability once we advised them that it still existed. They then went further than other plugin developers usually do when a plugin has had an exploited vulnerability and got a security review done to ensure the plugin was now properly secured. [Read more]

6 Mar 2023

Here Are the 4 WordPress Security Plugins That Protected Against a Vulnerability Wordfence Failed to Protect Against Despite Having Discovered It

Last week, Wordfence disclosed the details of an authenticated persistent cross-site scripting (XSS) vulnerability they had found in a popular WordPress plugin with 3+ million installs (as well as something else that wasn’t really a vulnerability). There were some things they said in their post that are rather problematic.

One of them was that they were claiming to have responsibly disclosed the vulnerability, while also contradicting that. According to their post, the day before they notified the developer of the plugin about the vulnerability, they were already selling access to information about exploiting the vulnerability through their Wordfence Premium service. That isn’t responsible disclosure and any hacker willing to pay for the service could have started exploiting this before the developer was even notified about it. Wordfence’s paying customers would have been protected from it at the time, but others would not without having some other security in place. [Read more]