Login

Tag Archives: Security Plugin Testing

12 Aug 2021

Five WordPress Security Plugins Provide Some Protection Against Unfixed Reflected XSS Vulnerability in Plugin with 200,000+ Installs

Update: We originally incorrectly listed the plugin All In One WP Security & Firewall as not providing any protection, when in fact it did provide protection that was easily bypassed. We apologize for the mistake.

In the mess that is the current handling of security of WordPress plugins, many people rely and trust companies to provide them accurate information on vulnerabilities in plugins that they use, while the companies appear to have no concern if the information they provide is accurate. The ultimate source of their data is often a company named WPScan, which is well documented to not be concerned about the quality of their data. [Read more]

12 Aug 2021

Why NinjaFirewall’s PHP Object Injection Protection Failed to Prevent Vulnerability in WordPress Plugin From Being Exploited

As part of working on our WordPress firewall plugin, we are doing tests to make sure our plugin’s protection works and to see what protection, if any, other existing plugins provide. While being able  to show that our plugin is already providing protection that no other plugin provides is good for marketing the plugin, it isn’t the best result for trying to improve the plugin as we can’t learn too much from other plugins if they don’t provide protection.

In the latest test we did, we were surprised to find that no other plugin plugin provided protection, as it looked like the plugin NinjaFirewall should. The vulnerability being tested is a PHP object injection vulnerability we had discovered, and the default Advanced Policies settings for the NinjaFirewall made it look like it should provide protection against that type of vulnerability and this particular instance of it: [Read more]

11 Aug 2021

Existing WordPress Security Plugins Fail to Protect Against PHP Object Injection Vulnerability

When we did testing several years back to see if WordPress security plugins could prevent the exploitation of vulnerabilities in other WordPress plugins, the results were not good. In one test, we found that only two plugins provided any protection, and that protection was easily bypassed. In another, we found only three provided any protection and only one of them had protection that couldn’t be easily bypassed. In another, we found no plugins provided protection despite one of them having supposed to have had protection and we later found that another one that was supposed to have later gained protection also didn’t provide protection.

Based on those results and later testing, what we saw was that there was a place for a firewall plugin as a piece of the security strategy for WordPress websites, but the existing options were not something we could recommend. We couldn’t recommend them not only due to the poor results, but because the developers of the plugins that provided the most protection were not being honest about what the plugins can and cannot accomplish (if you can’t trust a security company then you probably shouldn’t rely on them). That has led to us working on our own firewall plugin, which we plan on releasing soon. [Read more]

10 Aug 2021

NinjaFirewall and Wordfence Security’s XSS Protection Still Have Publicly Known Bypass Five Years Later

As part of the development of our upcoming firewall plugin for WordPress, we are doing new tests of security plugins to see if they can prevent exploitation of vulnerabilities in WordPress plugins to help us improve on existing firewall plugins’ protections. We are also going back over the results of the similar tests we did back in 2016.

In one of those tests, involving a persistent cross-site scripting (XSS) vulnerability, we found that only two of the plugins we tested, NinjaFirewall and Wordfence Security, provided any protection. What we also found was that it was incredibly easy to bypass the protection they provided. All it took to bypass them was adding a single backslash in the right location and their protection was defeated. That wasn’t a great indication of the quality of those plugins. [Read more]

9 Aug 2021

Existing WordPress Security Plugins Fail to Provide Non-Bypassble Protection Against Easy to Stop WordPress Plugin Vulnerability

When we did testing several years back to see if WordPress security plugins could prevent the exploitation of vulnerabilities in other WordPress plugins, the results were not good. In one test, we found that only two plugins provided any protection, and that protection was easily bypassed. In another, we found only three provided any protection and only one of them had protection that couldn’t be easily bypassed. In another, we found no plugins provided protection despite one of them having supposed to have had protection and we later found that another one that was supposed to have later gained protection also didn’t provide protection.

Based on those results and later testing, what we saw was that there was a place for a firewall plugin as a piece of the security strategy for WordPress websites, but the existing options were not something we could recommend. We couldn’t recommend them not only due to the poor results, but because the developers of the plugins that provided the most protection were not being honest about what the plugins can and cannot accomplish (if you can’t trust a security company then you probably shouldn’t rely on them). That has led to us working on our own firewall plugin, which we plan on releasing soon. [Read more]

16 Dec 2016

No WordPress Security Plugin Prevented Exploitation of Unfixed Arbitrary File Upload Vulnerability in Popular Plugin

When it comes to the chances of vulnerabilities being exploited the reality is that many types of vulnerabilities are highly unlikely to have anyone even try to exploit them. Unfortunately far too often we see security companies and the press making a big deal of vulnerabilities that are are of little to no threat, while ignoring vulnerabilities and broader security issues that are leading to websites being hacked (that lead us to providing information on likelihood that a vulnerability is to be exploited to the data for our service). When it comes to types that are likely to be exploited, the arbitrary file upload vulnerability, which allows a hacker to upload files of any kind to a website, is probably the one with the most exploit attempts and also then ends up leading to the most websites being hacked. So if a WordPress security plugin is going to protect against any type of vulnerability this seems like this is the one you would most want it to be able protect against.

Back in September we tested out security plugins against this type of vulnerability and the results were not good. Of the 12 plugins tested only 3 provided any protection. The protections 2 of them provide was easily bypassed for this particular vulnerability and the remaining plugin’s protection also meant that Editor level and below users could not upload files either. [Read more]

28 Sep 2016

The Tradeoff That Comes With a WordPress Security Plugin’s Ability to Prevent a Vulnerability From Being Exploited

We have now done three tests to see what protection WordPress security plugins provide against a real threat to WordPress websites, vulnerabilities in other plugins. We can find little in the way of similar testing having been done in the past, which should be troubling when you consider how often people are recommending these plugins. But it is in line what we find on wider basis when it comes to security products and services, a lack of evidence back claims about them, many of those claims being rather extraordinary to anyone who has a good understanding of security and therefore really need strong evidence to back them.

The results of the test haven’t been good for those claiming that these plugins will protect your website. In the first test, of a persistent cross-site scripting (XSS) vulnerability, only 2 of the 11 plugins tested any protection and that protection was easily bypassed. In the second test, of arbitrary file upload vulnerability, only 3 of the 12 test plugins provide any protection and the protection 2 of the 3 provided was easily bypassed. In the third test, of an information disclosure vulnerability, none of the 12 plugins provided any protection. [Read more]

26 Sep 2016

No WordPress Security Plugins Protected Against Recently Disclosed Vulnerability That Exposes WooCommerce Order Data

Recently we started testing to see what protection WordPress security plugins provide against vulnerabilities in other plugins (since plugins vulnerabilities are an actual source of websites being hacked, unlike some other things that these plugins make a big deal or providing protection against). The first vulnerability we tested could be used for serving up malware on a website and the second could give an attacker control over the website. Both of those are types of vulnerabilities that are the kind that are often thought of when discussing the security of websites, for example the very popular Wordfence plugin is advertised as “protecting your website from hacks and malware”. Not every security issue though falls into those categories. As you can guess from the name, an information disclosure vulnerability involves the disclosure of information that isn’t intended to be public and those can be a serious issue. For example, if you run an eCommerce you wouldn’t want your customers’ details to be accessible by the public.

WooCommerce is an popular eCommerce plugin for WordPress, which has over 1+ million active installs according to wordpress.org (we use it on this website). There are numerous plugins that expand on its functionality. The security of those isn’t always good. Among the issue we have found in some of those plugins this year were two arbitrary file upload vulnerabilities and a vulnerability that allowed changing the price of products. Recently David Peltier discovered that the plugin Order / Coupon / Subscription Export Import Plugin for WooCommerce (BASIC) had an information disclosure vulnerability that allowed anyone to get a copy of the orders made through WooCommerce on the website. Including in that is not only the details of the order, but the customer’s details, including address and email adress. That vulnerability has now been fixed. [Read more]

22 Sep 2016

Only One WordPress Security Plugin Fully Protected Against a Recently Disclosed Arbitrary File Upload Vulnerability

Last week we did our first test to see what protection that WordPress security plugins can provide against the exploitation of the vulnerabilities in plugins. The results for a persistent cross-site scripting (XSS) vulnerability were not good, with only 2 of the 11 plugins tested providing any protection and even the protection in those two was easily bypassed.

Earlier this week we disclosed a set of arbitrary file upload vulnerabilities in four plugins by the same developer. While these vulnerabilities are of the type that are likely to be exploited (you can now know how likely vulnerabilities are to be exploited with our service), after we contacted the developer, they took two weeks to fix one and the other three have yet to be fixed two months later. That shows a couple of the problems with being able to protect against plugin vulnerabilities at this time, one being that vulnerabilities are not fixed in a timely manner and the other being that simply keeping you plugins up to date will not protect you. [Read more]

12 Sep 2016

WordPress Security Plugins Provide Little to No Protection Against Recently Discovered Persistent XSS Vulnerability

In the past few months we have done several one off tests of WordPress security plugins to see if they could prevent exploitation of a vulnerability in a plugin. We tested an extraordinary claim by Wordfence that their plugin could prevent persistent cross-site scripting (XSS) and found that it failed both with a vulnerability that required authentication and one that didn’t. We also tested the iThemes Security security plugin against an arbitrary file upload vulnerability that we have found was being exploited in another plugin by one that plugin’s developers and it also failed to prevent exploitation.

That these plugins failed to prevent these vulnerabilities from being exploited wasn’t all that surprising considering the poor state of the security community overall and in particular the one surrounding WordPress. Whether it is security companies making up threats, not understanding the difference between vulnerabilities, or spreading false information about WordPress installations being vulnerable due to not understanding how WordPress handles security updates, it is clear that there isn’t a good understanding of security by the people and companies in the security community. [Read more]