Recently, three ostensibly competing data providers for information on vulnerabilities in WordPress plugins all claimed that a vulnerability had been fixed in a certain version of the plugin Super Socializer.
Here was WPScan, the original source for the claim: [Read more]
Anyone who has spent much time trying to use WordPress’ support forum and the connected plugin review system knows that the moderators of that often get in the way and causing unnecessary problems (as well other troubling behavior, including deleting unflattering information about a company they promote). At the same time, they don’t take action when there is something they could help with. That is the case involving the 8,000+ install WordPress plugin Bulk Delete Comments. Two weeks ago, a one-star review was left with a concerning claim:
This plugin might be hacked or it is shady on way or another because it have started to slow down wordpress when including a an inclusion of javascript located at: alishahalom.com [Read more]
The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:
Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. [Read more]
If data providers for WordPress plugin vulnerability information want to keep up with vulnerabilities, one important place to monitor is the WordPress Support Forum. Today, doing that allowed us to warn our customers of a plugin with 8,000+ installs that contains malicious code in the current version of the plugin, which is still available in the directory. What that also shows is that other data providers are not providing accurate information to their customers, causing problems for them and plugin developers.
Recently we have noted many problems with the new Wordfence Intelligence Community Edition data on plugin vulnerabilities and we keep running into more examples. [Read more]
Trust is an important part of security, so it probably isn’t surprising that security is in such bad shape and that at the same time, security companies are so obviously dishonest so often. That is something we frequently run across in the WordPress security space, involving even the big name players. A couple of instances of that just came up involving vulnerability data provider presenting it as if they added information on vulnerabilities in a more timely manner than they really do.
Automattic’s WPScan is claiming there is a known vulnerability in the latest version of WordPress. Though this would probably be better classified as a security issue. WPScan’s data says that the issue was “publicly published” and “added” two days ago: [Read more]
Yesterday, we highlighted some of the problems we found when looking at the data on plugin vulnerabilities coming from Wordfence’s new Wordfence Intelligence Community Edition. That is data they were previously trying to sell access to as part of something called Wordfence Intelligence and now are providing for free. We thought to check on another recent situation and found yet another serious problem, but not an all that surprising one, considering the generally poor quality of data on WordPress plugin vulnerabilities.
On October 21, the developer of the plugin Image Hover Effects introduced a change to a plugin with the commit message “fixed Vulnerability issue”. As at least one of our customers used that plugin, we checked over that and found that the plugin contained a serious vulnerability related to the change made, which hadn’t been fixed. That vulnerability would allow anyone logged in to WordPress to cause malicious JavaScript code to run on the website. We warned our customers and contacted the developer of the plugin about that the next day. The developer responded at the end of the month, saying that they were working to address that, but it still hasn’t been addressed. [Read more]
In what appears to be a significant setback for Wordfence, but promoted as “a gift to the community”, they announced they are now giving away data on vulnerabilities in WordPress plugins they have been trying to sell access to since August, as part of Wordfence Intelligence (which we previously discussed, wasn’t delivering on its promises). They are now branding this data as Wordfence Intelligence Community Edition.
Before the data was publicly available, we had been running across indications it was of rather poor quality, including falsely claiming a plugin contained a “critical” vulnerability because they confused it with another plugin, claiming another plugin contained “critical” vulnerability despite having no idea if that was true, and other apparent instances of false claims of vulnerabilities. Now that their data set is out in the open, we can get a better look at it and the first things we went to check on showed that the quality is indeed rather poor. Which makes providing it for free make more sense, but it joins a crowded field of at least partially free options with quality issues of their own. [Read more]
We recently tried to add a WordPress firewall plugin named BitFire in to our automated testing system of WordPress security plugins, but found that the plugin wasn’t working properly and then an update totally broke it. We also noticed that the plugin’s marketing continued rather inaccurate information, which is, unfortunately, not a unique situation from a WordPress security provider. But it turns out that some of the inaccurate information makes it sound like a competitor of theirs provides much better results than they do. Here is how they talked up the Wordfence Premium service from Wordfence while saying why you shouldn’t use it:
If you use WordFence, you should only use the paid version. WordFence has a team monitoring emerging WordPress vulnerabilities and writing custom rules to block specific exploits. They are very good at it and run a great blog on their work. Paying customers receive these virtual patches as soon as they are available. Free customers receive the patches 30 days later. If your website is vulnerable, it is almost guaranteed to be hacked before the patch is available to free customers. Don’t leave your site at risk. [Read more]
Currently, in our dataset of vulnerabilities in WordPress plugins, there are plugins with at least 8.16 million active installs that are still available through the WordPress Plugin Directory despite the plugins being known to contain security vulnerabilities. That is a big problem. But what causes it?
Part of the problem is that plugins with known vulnerabilities get pulled from the Plugin Directory, but get returned without the vulnerabilities actually being fixed. That is the case with the plugin previously known as WooCommerce Fraud Prevention Plugin and now renamed Fraud Prevention For Woocommerce. [Read more]
During the weekend, third-party data we monitor recorded what appeared to be a hacker probing for usage of the WordPress plugin ContentStudio. The requests are looking for the plugin’s readme.txt file:
/wp-content/plugins/contentstudio/readme.txt [Read more]