Login

Tag Archives: Wordfence Intelligence

1 Dec 2023

Latest Release of Contact Form 7 Didn’t Actually Fix Authenticated (Editor+) Arbitrary File Upload Vulnerability

Recently, the WordPress security provider Wordfence was criticizing another provider, Patchstack, for incentivizing low quality claims of vulnerabilities in WordPress plugins:

There are an extremely high number of low risk and low quality vulnerabilities being submitted to databases like Patchstack,” he said. “Vulnerabilities that involve a Cross-Site Request Forgery are an example of this. The incentives we are seeing out there encourage researchers to generate a a high volume of low risk vulnerabilities to get rewarded. These high numbers are then used to market security products.” [Read more]

22 Aug 2023

Wordfence Intelligence (and Possibly WordPress) Mishandled Unfixed Vulnerabilities in WordPress Plugin

Earlier today, we warned our customers about unfixed vulnerabilities in a WordPress plugin named Posts Like Dislike. We ran across those vulnerabilities as at least one of our customers was using the plugin and the changelog for the latest version of the plugin stated that a security issue had been fixed. Following that, we checked to see if competing data providers had also spotted that. What we found was a mess involving at least Wordfence Intelligence and possibly WordPress as well.

The latest version of Post Like Dislike added a nonce check, which prevents cross-site request forgery (CSRF), to code for resetting the plugin’s settings. The WordPress documentation for nonces is clear that is not to be used for access control: [Read more]

14 Dec 2022

Wordfence Intelligence Community Edition Data Falsely Claims That Unfixed Plugin Vulnerability Was Fixed Twice

In what appears to be a significant setback for Wordfence, but promoted as “a gift to the community”, they announced they are now giving away data on vulnerabilities in WordPress plugins they have been trying to sell access to since August, as part of Wordfence Intelligence (which we previously discussed, wasn’t delivering on its promises). They are now branding this data as Wordfence Intelligence Community Edition.

Before the data was publicly available, we had been running across indications it was of rather poor quality, including falsely claiming a plugin contained a “critical” vulnerability because they confused it with another plugin, claiming another plugin contained “critical” vulnerability despite having no idea if that was true, and other apparent instances of false claims of vulnerabilities. Now that their data set is out in the open, we can get a better look at it and the first things we went to check on showed that the quality is indeed rather poor. Which makes providing it for free make more sense, but it joins a crowded field of at least partially free options with quality issues of their own. [Read more]

28 Nov 2022

WordPress Security Providers Not Warning About Likely Targeted Unfixed Vulnerability in WordPress Plugin

During the weekend, third-party data we monitor recorded what appeared to be a hacker probing for usage of the WordPress plugin ContentStudio. The requests are looking for the plugin’s readme.txt file:

/wp-content/plugins/contentstudio/readme.txt [Read more]

26 Oct 2022

Wordfence Is Failing to Provide Information That Would Help Protect Their Customers Unless Web Hosts Pay Them as Well

Two days ago, we detailed multiple issues with a recently launched service from the WordPress security provider Wordfence, Wordfence Intelligence. There was something we ran across while researching that, which we felt was worth separating out for its own post because it seems so problematic. One promoted reason to sign up for that service is so that web hosts can get information on servers in their infrastructure that are launching attacks. Here is how Wordfence describes that:

Compromised Host Identification
Many cloud hosting providers and security operations teams do not have access to the operating system of servers they are responsible for securing. Wordfence defends over 4 million websites globally. We have excellent visibility on which servers are infected for a hosting provider, cloud provider, or geographic area, which helps indicate when these servers may be launching attacks against other web services. If you are a network defender responsible for securing a large network, we can help you identify which hosts on your network are compromised and need to be mitigated. Securing these infected hosts helps reduce attacks across the global Internet and helps keep the online community safer. [Read more]

25 Oct 2022

Wordfence Intelligence Vulnerability Data Feed Keeps Looking Worse

Yesterday, we detailed significant discrepancies between the way the WordPress security provider Wordfence marketed their Wordfence Intelligence service and the actual results they are delivering with that. Much of that affects those also relying on their Wordfence Security plugin as well. One aspect that affects users of their plugin, as well as other plugin developers, is Wordfence’s information on vulnerabilities in WordPress plugins. As of yesterday, they marketed that part of Wordfence Intelligence this way:

Vulnerability Detection at Scale [Read more]

24 Oct 2022

Wordfence Intelligence Doesn’t Deliver on Its Promises

In August, the WordPress security provider Wordfence announced a new service named Wordfence Intelligence with a lot of lofty claims about the service and what they were already providing. What was lacking is evidence that it delivers on the promises being made. That should be a big concern for any security service, considering the really poor results that the security industry has been providing for the billions of dollars they are being paid, but Wordfence has a history of making easily checked false claims, so evidence is even more important. In some instances, their employees have admitted the claims are not true, while the company continues to make those claims. In looking over some of the underlying data connected with that service, we have found that what they are promising doesn’t come close to matching with what they actually deliver.

Bad Plugin Vulnerability Data

You can get a good sense of the strong claims they make about what they are delivering with just a couple of sentences of the marketing of the service: [Read more]