20 Dec

You Are Not Going To get The Best Information on WordPress Plugin Vulnerabilities From Twitter

Last week we looked at an example of one of the problems with WordPress’ handling of security, that being websites using plugins that contain vulnerabilities in the latest version are left in the dark about the issue, even in the case of the vulnerability already being exploited, as was the case with this vulnerability in the plugin Delete All Comments (we also found that security plugins didn’t prevent it from being exploited). We were curious to see what others were saying about the issue, so we took a look on Twitter and results were a reminder that you are not going to get the best information there.

We found that a web host was telling people to update the plugin: [Read more]

12 Aug

You Are Not Always Going to Get The Best Information on WordPress Plugin Vulnerabilities From Twitter

We are always looking for ways to improve the vulnerability data on WordPress plugins we provide to our customers. One of the things we have been doing recently is reviewing some old third-party data on hacking attempts to help identify vulnerabilities that probably have been known and exploited by hackers for some time, but have continued to exists in the plugins because nobody on the good sign of things was looking for them (which is contrary to the marketing claims you might hear from a certain WordPress security company).

Through that we found an arbitrary file upload vulnerability in the Estatik plugin. Among common types of vulnerabilities, arbitrary file upload vulnerabilities are probably the most likely to be exploited, so having one exist in a plugin for more than a year after it looks like hacker had been targeting it, doesn’t point to the security of WordPress plugins being great at this time. [Read more]