Login

Tag Archives: Security Ninja

Plugin Security Scorecard Grade for Security Ninja

Checked on April 1, 2025
F

See issues causing the plugin to get less than A+ grade

28 Nov 2018

It Would Be a Good Idea for WordPress Plugin Developers to Check Their Plugins with Our Plugin Security Checker

Yesterday we noted that the developer of the WordPress security plugin Security Ninja plugin isn’t doing a great job with the security of their plugins. In the latest example, they could have spotted an issue before we are publicly disclosing it by simply checking the plugin with our Plugin Security Checker, which identifies possible security issues in WordPress plugins. While looking into the details of another instance of them fixing a vulnerability we had identified in one of their plugins while working on an improvement to the Plugin Security Checker, this time with the plugin Nifty Coming Soon & Maintenance page we ran the plugin through our tool and saw that it got flagged for possibly including a vulnerable version of the plugin Option Tree:

[Read more]

27 Nov 2018

Developer of WordPress Security Plugin Fails to Implement Basic Security Checks in Another of Their Plugins

If you were not too familiar with the security industry you would probably assume that if a company is the developer of a WordPress security plugin then other plugins they make would be quite secure. That turns out to not be the case with the developer of the Security Ninja plugin. Yesterday we full disclosed a minor vulnerability in one their other plugins, Google Maps Widget, which has 100,000+ installs according to WordPress.org. Then today we saw that they fixed a similar issue in another of their plugins, Minimal Coming Soon & Maintenance Mode, which has 60,000+ installs. In a reminder of how insecure some plugins are (even if the developer also has a security plugin), when we looked at the code being changed to fix that we noticed that in the same function there is another more serious vulnerability, one that wasn’t fixed.

The vulnerability allows anyone logged in to WordPress to disable the website by enabling the plugin’s maintenance mode. The vulnerability would also allow an attacker that gets someone logged in to WordPress that clicks a link the attacker creates to cause the website to be disabled as well. That is due to the failure of the developer to implement two rather basic security checks in the code. [Read more]

27 Jan 2017

Inaccurate Data on What Versions of WordPress Plugins Are Impacted By Vulnerabilities is Now Being Spread

When it comes to improving web security, whether it relates to WordPress or not, a big impediment we see to that happening is that it is very easy for inaccurate information to be spread. Oftentimes it is done by security companies, that either don’t know what they are talking about or who find that inaccurate information is useful for marketing their products.

A recent example of this relates to something we discussed back in September. Back then we came across a page that had a list of vulnerable plugins and it was suggested that you check over the list to see if you were using any. What the list seemed to be more of at the time was an attempt by the company behind it to promote their security plugin, Security Ninja. We say that because at the time the list was almost, if no entirely, just the free vulnerability data we include with the companion plugin for our service, which it would be much easy for people check for by installing the plugin instead of reading through a list. [Read more]

16 Dec 2016

No WordPress Security Plugin Prevented Exploitation of Unfixed Arbitrary File Upload Vulnerability in Popular Plugin

When it comes to the chances of vulnerabilities being exploited the reality is that many types of vulnerabilities are highly unlikely to have anyone even try to exploit them. Unfortunately far too often we see security companies and the press making a big deal of vulnerabilities that are are of little to no threat, while ignoring vulnerabilities and broader security issues that are leading to websites being hacked (that lead us to providing information on likelihood that a vulnerability is to be exploited to the data for our service). When it comes to types that are likely to be exploited, the arbitrary file upload vulnerability, which allows a hacker to upload files of any kind to a website, is probably the one with the most exploit attempts and also then ends up leading to the most websites being hacked. So if a WordPress security plugin is going to protect against any type of vulnerability this seems like this is the one you would most want it to be able protect against.

Back in September we tested out security plugins against this type of vulnerability and the results were not good. Of the 12 plugins tested only 3 provided any protection. The protections 2 of them provide was easily bypassed for this particular vulnerability and the remaining plugin’s protection also meant that Editor level and below users could not upload files either. [Read more]

26 Sep 2016

No WordPress Security Plugins Protected Against Recently Disclosed Vulnerability That Exposes WooCommerce Order Data

Recently we started testing to see what protection WordPress security plugins provide against vulnerabilities in other plugins (since plugins vulnerabilities are an actual source of websites being hacked, unlike some other things that these plugins make a big deal or providing protection against). The first vulnerability we tested could be used for serving up malware on a website and the second could give an attacker control over the website. Both of those are types of vulnerabilities that are the kind that are often thought of when discussing the security of websites, for example the very popular Wordfence plugin is advertised as “protecting your website from hacks and malware”. Not every security issue though falls into those categories. As you can guess from the name, an information disclosure vulnerability involves the disclosure of information that isn’t intended to be public and those can be a serious issue. For example, if you run an eCommerce you wouldn’t want your customers’ details to be accessible by the public.

WooCommerce is an popular eCommerce plugin for WordPress, which has over 1+ million active installs according to wordpress.org (we use it on this website). There are numerous plugins that expand on its functionality. The security of those isn’t always good. Among the issue we have found in some of those plugins this year were two arbitrary file upload vulnerabilities and a vulnerability that allowed changing the price of products. Recently David Peltier discovered that the plugin Order / Coupon / Subscription Export Import Plugin for WooCommerce (BASIC) had an information disclosure vulnerability that allowed anyone to get a copy of the orders made through WooCommerce on the website. Including in that is not only the details of the order, but the customer’s details, including address and email adress. That vulnerability has now been fixed. [Read more]

22 Sep 2016

Only One WordPress Security Plugin Fully Protected Against a Recently Disclosed Arbitrary File Upload Vulnerability

Last week we did our first test to see what protection that WordPress security plugins can provide against the exploitation of the vulnerabilities in plugins. The results for a persistent cross-site scripting (XSS) vulnerability were not good, with only 2 of the 11 plugins tested providing any protection and even the protection in those two was easily bypassed.

Earlier this week we disclosed a set of arbitrary file upload vulnerabilities in four plugins by the same developer. While these vulnerabilities are of the type that are likely to be exploited (you can now know how likely vulnerabilities are to be exploited with our service), after we contacted the developer, they took two weeks to fix one and the other three have yet to be fixed two months later. That shows a couple of the problems with being able to protect against plugin vulnerabilities at this time, one being that vulnerabilities are not fixed in a timely manner and the other being that simply keeping you plugins up to date will not protect you. [Read more]

14 Sep 2016

Web factory Ltd’s Sleazy Promotion of Their Security Ninja Plugin

One of things we think is important to understand about why security is in such bad shape these days is due to the poor state of security companies. If you were to comes up with a list of phrases to describe bad companies most security companies would match at least one of those. An example of a security company decidedly acting badly we came across recently is Web factory Ltd. They have website named WP Loop and we recently received a visit to our website from a page on their website entitled “Hacked, dangerous & vulnerable WordPress plugins”.

The page starts by stating: [Read more]