In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.
The WordPress plugin Ultimate Member was the cause of too many websites being hacked back in August, we say too many because the developer didn’t promptly fix a vulnerability that was being exploited for some inexplicable reason. It probably then isn’t surprising that as we improve our Plugin Security Checker, an automated tool that you can use to check if plugins you use have possible security issues that should be further looked into, that Ultimate Member keeps getting flagged for additional possible security issues.
Last Friday after we discovered a remote code execution (RCE) vulnerability in a WordPress plugin through our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities we noted that we had updated our Plugin Security Checker to have the same check:
About a month ago we mentioned that moderators of the WordPress Support Forum’s deletion of discussions of security issues can be unhelpful, in the context of us seeing mention of a vulnerability in a thread that was quickly deleted, realizing there was another related vulnerability, and then adding a check for that other vulnerability to our Plugin Security Checker, which provides a limited but expanding capability to check for possible security issues in plugins. Just days later that new check flagged a possible issue in a plugin with 100,000+ active installs that was being run through it and a quick check confirmed that it was an exploitable vulnerability (though far from a serious issue for the average website). That the vulnerability was found in, Ultimate Member, wasn’t all that surprising considering that Plugin Security Checker had previously identified another vulnerability of the same type in the plugin a couple of months ago.
It has taken us a long time to fully grasp the level of dishonesty in the security industry, since it is so rampant that is hard to believe how bad things truly are, even seeing examples every day. That there is almost any dishonesty should be surprising since trust is so important when it comes to security, especially when you consider the almost total lack of evidence that security companies put forward to back incredible claims they make about their products and services. As an example of how bad things are take the company Sucuri, which claims that trust is one of four of their claimed values:
In a reminder of the rather poor state of security of WordPress plugins and how our Plugin Security Checker tool (which is accessible through a WordPress plugin of its own) can help you to get a better idea if they are in need of additional security scrutiny recently the plugin Ultimate Member, which has 100,000+ active installs according to wordpress.org, was run through the tool and it identified a possible reflected cross-site scripting (XSS) vulnerability in the plugin.
The WordPress plugin Ultimate Member was recently brought on to our radar after it had been run through our Plugin Security Checker and that tool had identified a possible vulnerability in it. We happened to take a look into that as part of continued effort to improve the results coming from that tool. We confirmed that there was a vulnerability and notified the developer. The developer responded that they would fix that as soon as possible, but it has been nearly month and that hasn’t happened. In line with our disclosure policy we are scheduled to be disclosing that vulnerability on Friday. Thankfully that vulnerability isn’t something that is likely to be exploited in an untargeted hack, but there is another vulnerability that is presently being exploited in the current version, 2.0.21, of the plugin.
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
This Vulnerability Details post about a vulnerability in the plugin Ultimate Member provides the details of a vulnerability we ran across while collecting data on vulnerabliities discovered by others for our data set on vulnerabilities in WordPress plugins, so its contents are limited to customers of our service. If you are not currently a customer, you can sign up for free here. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.