We often incorrectly get referred to as security researchers, something we have never claimed to be. Considering the quality of a lot of security research there might be good reason to avoid that title. One such example we just ran across also provides yet another example of the bad security journalism going on with WordPress plugin vulnerabilities. We thought we would write a quick post about it since we took a few minutes to look into the claims and what we found seems worth noting.
Last week through our proactive monitoring of changes made to WordPress plugins in the Plugin Directory to try to catch serious vulnerabilities we found a vulnerability that would be likely to be exploited in the plugin Social Warfare, which has 70,000+ active installations according to wordpress.org. Due the continued unwillingness of Matt Mullenweg or anyone on the WordPress team to rein in the inappropriate behavior of the moderators of the WordPress Support Forum the vulnerability got full disclosed and a lot of websites got hacked when they didn’t need to. The plugin was removed from the Plugin Directory after our disclosure and subsequently restored with the vulnerability removed, but the insecure code that surrounded it remained unchanged. That seems like something that team running the Plugin Directory should have caught since our post went through what the insecure code was, but they don’t seem to have a great grasp of security, which the inappropriate behavior of the moderators of the Support Forum helps to hide.
This week the WordPress plugins Easy WP SMTP and Social Warfare had vulnerabilities, which have now been fixed, widely exploited. In both cases the vulnerabilities were not due to obscure issues that no one had ever heard of before, but they were due to the failure to do security basics. In the case of both plugins, even after having vulnerabilities exploited, the developers still haven’t fully fixed up the security of the code related the vulnerabilities (and the WordPress team has allowed them to remain in the Plugin Directory despite that).
While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.
On Monday we noted that WordPress team had missed that the plugin Easy WP SMTP still contained vulnerabilities due to code related to the code that has been widely exploited this week. We tried to notify the developer of the plugin of that through a message on the WordPress Support Forum, but the moderators blocked that, so the WordPress team has been aware of that they missed those vulnerabilities for four days and yet they haven’t done anything about that. Using the moderation of the Support Forum to hide that there are problems with WordPress’ handling of security instead of working to resolve them is exactly kind of thing that led us back in September to start full disclosing vulnerabilities until the moderation of the forum is cleaned up.
With our proactive monitoring of changes made to WordPress plugins in the Plugin Directory to try to catch serious vulnerabilities we review a lot of code that ends up not being vulnerable, so even if the flagged code looks rather concerning it doesn’t raise a lot of concern at first for us even, if like the code flagged in the plugin Social Warfare, which we will get to in a moment, indicates there might be a very serious vulnerability. When we checked over the rest code related to the flagged code with that plugin we found that the plugin allows anyone to change the plugin’s settings and that could be used to cause persistent cross-site scripting (XSS), which is just the sort of vulnerability hackers have shown a lot of interest in recently. The plugin has 70,000+ active installations according to wordpress.org, which makes it all the more likely that would be exploited.