Wordfence

11 Oct 2022

Automattic’s Idea of Coopetition Involves Copying Data From Competitors Without Credit

Companies operating in the WordPress space have to deal with a problematic situation. While WordPress is promoted as an open source community, the head of WordPress, Matt Mullenweg, uses his various entities to exert control and influence over the community to the benefit of his business interests. One of those entities is the news outlet the WP Tavern, which, when covering him, doesn’t disclose it is owned by him and its writers work for him. That lack of disclosure occurred again with a recent story about one of his employees causing WordPress to hide information useful to competing companies .

In the story, it also wasn’t disclosed that one of the quoted sources, Josepha Haden Chomphosy, is an employee of Matt Mulleweg’s company Automattic, instead incompletely describing her as “WordPress Executive Director”. She was quoted saying that there should be a focus on coopetition mindset in terms of data access: [Read more]

27 Sep 2022

What Is Going on With the Closure of the WordPress Security Plugin WP Cerber?

The WordPress security plugin WP Cerber is marketed as if it protects websites from being hacked:

Defends WordPress against hacker attacks, spam, trojans, and malware. [Read more]

19 Sep 2022

Wordfence and Security Journalists Are Again Creating FUD About the Security of WordPress Websites

Last week numerous news outlets ran scary sounding stories about a claimed security issue in a WordPress plugin. Here are some of the headlines of stories that were included in Google News:

WordPress zero-day vulnerability compromised more than 280000 websites: Researchers

280000 WordPress sites hacked by exploitation of CVE-2022-3180 – Web Hosting

Shocking Cyberattack by Hackers on 280000 WordPress Sites

Shocking cyberattack! 280000 WordPress sites attacked by hackers

Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability

Zero-day in WPGateway WordPress plugin actively exploited in attacks

WordPress Plugin Vulnerability Abused in Zero-Day Exploit

WordPress zero-day vulnerability leads to 4.6 million attempted attacks on websites

WordPress plugin vulnerability leaves sites open to total takeover

Over 280000 WordPress sites may have been hijacked by zero-day hiding in popular plugin

The last one of those was from a TechRadar story written by Sead Fadilpašić. The sub-headline of the story was: [Read more]

17 Jun 2022

Clearing Up Some Claims Made About the Remote Code Execution (RCE) Vulnerability Fixed in Ninja Forms

Two days ago, WPScan described a vulnerability fixed in the WordPress plugin Ninja Forms the day before this way:

The plugin does not validate merge tags provided in the request, which could allow unauthenticated attackers to call any static method present in the blog. One from the plugin in particular could allow for PHP Object Injection when a suitable gadget is also present on the blog. Attackers have been exploiting such issue since June 9th, 2022 [Read more]

3 Jun 2022

WordPress Plugin Developer Security Advisory: Artbees

One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing their plugins and others get them properly secured when alerted they haven’t done that. A smaller number of plugin developers either are unable or unwilling to properly secure their plugins. With the latter group, among the issues we have seen, are developers who have introduced new serious vulnerabilities that are substantially similar to vulnerabilities that they know have been exploited in their plugins.

In situations where we become aware of developers who have shown that inability or unwillingness to properly secure their plugin, we are releasing advisories to warn customers of our service and the wider WordPress community of the risk of utilizing those developers’ plugins. In addition to checking those posts on our website for information on those advisory, we provide access to the information in several other forms. That includes through the companion plugin for our service, even when not using the service, as well as through a web browser extension and through separate data accessible from our website. [Read more]

3 Jun 2022

Jupiter X Core Plugin Still Contains Vulnerability Allowing Reverting Website Database to Previously Backed Up Version

As detailed in more detail in a security advisory we have released for the developer of the plugin Jupiter X Core, recently the developer left 90,000+ websites open to being hacked for two weeks, after the WordPress security company Wordfence disclosed an easily exploited vulnerability in the plugin where there wasn’t a fix available (while claiming to have done responsible disclosure). Once the new version of the plugin that addressed that was released, we could check over the current state of the plugin. What we found was that Wordfence hadn’t warned people that the plugin still contains many vulnerabilities.

Wordfence explained how to exploit the vulnerability this way: [Read more]

18 May 2022

Hackers Probably Already Targeting Vulnerability Wordfence Disclosed Despite Fix Not Being Generally Available

Earlier today, Wordfence released an odd post on their blog. In the post they disclosed an incredibly easy to exploit a vulnerability in a WordPress plugin named Jupiter X Core, which allows anyone logged in to WordPress to change their role to Administrator. They claim to have engaged in “responsible disclosure” with this. While they didn’t provide what they labeled as a proof of concept, the information provides the equivalent of that. They are telling people to update version 2.0.8 of the plugin:

If you are running the JupiterX Core Plugin version 2.0.7 or below, you should immediately update it to version 2.0.8 or higher. [Read more]

2 May 2022

Wordfence Doesn’t Understand What an Open Redirect Is

One of the changelog entries for the latest version of the WordPress plugin Ultimate Member is:

Fixed: Issue with echo XSS on User Profile [Read more]

20 Jan 2022

Wordfence Fails to Warn of Easy to Spot Vulnerabilities in WP HTML Mail

A couple of frequent issues we see with the WordPress security company Wordfence involve them belatedly telling people to update individual plugins instead of just telling people to keep plugins up to date at all times (which they admit would lessen the need for what they are selling) and failing to warn people that plugins still contain easy to spot vulnerabilities. Both of those are true with the plugin WP HTML Mail.

Yesterday, they told people to update the plugin because of a cross-site scripting (XSS) vulnerability that had already been fixed. But while reviewing that, we found the plugin still contains an easy to spot XSS vulnerability and the same code allows anyone logged in to WordPress to send unlimited emails to arbitrary email addresses from the website. [Read more]

9 Dec 2021

Wordfence’s Odd Takeaways From a Situation Involving a Very Insecure Plugin

Yesterday the WordPress focused security company Wordfence disclosed a fixed vulnerability in the WordPress plugin RegistrationMagic. The vulnerability sounds concerning:

This flaw made it possible for unauthenticated attackers to login as any user, including administrative users, on an affected site as long as a valid username or email address was known to the attacker and a login form created with the plugin existed on the site. [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Wordfence News