Login

Wordfence News

3 Dec 2021

Not Really a WordPress Plugin Vulnerability, Week of December 3

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Authenticated Stored XSS in Asgaros Forum

This week Wordfence claimed there had been an authenticated stored XSS vulnerability in Asgaros Forum and it was fixed. They described it this way: [Read more]

22 Oct 2021

Wordfence Falsely Claimed Their Wordfence Premium Service Provided Rule to Protect Against Vulnerability

Two days ago, the WordPress security company Wordfence put out a blog post about a PHP object injection vulnerability they had found in the plugin Sassy Social Share. (We had detailed that vulnerability for our customers the same day it was fixed in September.) The post heavily markets their Wordfence Premium service, as in three separate instances they claim that they first provided a rule to protect against this vulnerability to customers of their paid Wordfence Premium service, which wasn’t available to those only using their plugin:

Wordfence Premium users received a firewall rule to protect against exploits targeting this vulnerability on August 31, 2021. Sites still using the free version of Wordfence received the same protection on September 30, 2021. [Read more]

3 Sep 2021

Wordfence and Saturday Drive Provide Hackers With Critical Info to Exploit Unfixed Vulnerability in Ninja Forms

When we discover vulnerabilities, we have always warned our customers only at the same time we were publicly disclosing them, since doing otherwise would allow hackers an ability to have information that the public doesn’t. Other companies are okay with giving hackers a possible leg up and possibly profiting off them. One of those being the developers of the Wordfence Security plugin.

As a practical example of what that means, currently hackers can exploit an unfixed authenticated information disclosure vulnerability in the plugin Ninja Forms, which has 1+ million installs, because of Wordfence. Making things easier for hackers, the developer of Ninja Forms, Saturday Drive, has disclosed even more information on the vulnerability in a form easily accessible by hackers, but unlikely to be noticed by the public, but has yet to provide users of the plugin with a fix. [Read more]

27 Aug 2021

Wordfence’s Explanation for Misusing the Term Brute Force Attack is Something

While working on another blog post explaining how Wordfence inflates the number of “attacks” that their plugin blocks, we ran across a rather stunning explanation as to why they are misleading people about the type of attacks are concurring against WordPress admin passwords.

Attempts by attackers to log in to WordPress is not something that the administrators of the average WordPress needs to worry about. All they need to do is to use a strong and unique password and then they can move on to other things. That is bad for the security industry, as WordPress already provides a password strength meter. That might explain why they mislead people about what is happening, telling them that brute force attacks are happening and then recommending plugins and other solutions needed if those were really occurring (so this isn’t a semantics issue). Not only does that does that waste time and create unnecessary fear, it has led to websites becoming vulnerable, as plugins to handle brute force attacks can and have introduced security vulnerabilities on websites. This is the security industry at its worst, but they are able to get away with it. [Read more]

16 Aug 2021

Why doesn’t WP Tavern want their readers to have accurate information on the state of WordPress security?

One of the biggest impediments to improving the security of WordPress is the sheer amount of misleading and outright false information that exists out there. Take the most popular security specific WordPress plugin, Wordfence Security, which, as we noted on Friday, is promoted by its developer and by others with the unqualified claim that it stops websites from being hacked. Not only could it not provide that level of protection, but testing confirms that it actually fails to provide the kind of protection it should be able to and that other security plugins do provide. If people knew the truth, they could be taking advantage of the additional security that other plugins provide. On the developer’s part, they clearly know what they are saying isn’t a true, and that statement isn’t an aberration, as we have repeatedly seen them telling lies that involve overstated claims about the capabilities of their plugin and services.

You would reasonably expect that journalists covering security would be warning the public about a company like that, but what we have found instead that those journalists often act more as a PR arm of security companies (often dishonest ones) than as journalists. In some cases that is rather literal situation, as there are multiple security journalism outlets that are publicly acknowledged to be owned by security companies (and another that is no longer acknowledged to be owned by a security company). [Read more]

6 Aug 2021

Wordfence Keeps Using Misleading Severity Scores While Admitting That They Are Misleading

To help our customers better understand the risk posed by a vulnerability in a WordPress plugin, we provide a rating of how likely the vulnerability is to be exploited in our data set.  As we noted again just yesterday, an alternative metric, severity scores are not really a meaningful metric when looking at vulnerabilities in WordPress plugins. That hasn’t stopped other security providers from promoting those, despite them being misleading. In most cases we can’t say for sure that they are aware of that misleading element and that they are contributing to the problematic use of them, but in the case of Wordfence we can say they know that, as here were there comments in a blog post in regards to the most popular severity scoring system, CVSS, last week:

As such, and despite the CVSS score of this vulnerability only being a 6.5, it could be used to take over a site either via obtaining database credentials or by executing JavaScript in an administrator’s browser session. [Read more]

3 Aug 2021

Wordfence Advisory Fails to Warn That WordPress Plugin with 100,000+ Installs Is Currently Very Insecure

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may use, we monitor for what look to be hackers probing for usage of plugins to make sure we can quickly warn our customers of any unfixed vulnerabilities that hackers are likely targeting. On Sunday we had what looked to be a hacker probing for usage of the WordPress plugin WordPress Download Manager, which has 100,000+ active installation according to wordpress.org, on our website with this request:

/wp-content/plugins/download-manager/readme.txt [Read more]

29 Jun 2021

We Warned About “Easily Exploitable Critical Vulnerabilities” in ProfilePress Nearly a Month Before Other Security Providers

Yesterday Wordfence disclosed vulnerabilities that existed in the WordPress plugin ProfilePress (previously WP User Avatar) that they described as “critical and easily exploitable security issues” that:

made it possible for an attacker to upload arbitrary files to a vulnerable site and register as an administrator on sites even if user registration was disabled, all without requiring any prior authentication [Read more]

26 Aug 2019

Wordfence Keeps Hiding That Other Security Companies Are Actually Doing the Work to Keep Ahead of Hackers

On multiple occasions the team behind the Wordfence Security plugin have failed to credit us when discussing vulnerabilities we discovered. We are not alone in that it turns out and unfortunately journalists will cover them and not give any credit to other security companies that are actually doing the work to keep ahead hackers (which is how Wordfence falsely markets their Wordfence Premium service of doing).

Here is part of an article the Threatpost (which is itself secretly owned by a security company) from Friday that showed up in a Google alert we have: [Read more]

22 Aug 2019

Those Relying on Wordfence Premium Are Not Getting the Protection They Are Paying For

Among the oddities of the security industry is that so often people seem to be skeptical of the wrong things, as they are more likely to believe that security companies are lying about things where there isn’t a logical reason to do that, while being overly trusting about extraordinary claims being made about security products and services, which often turn out to be false. Last week we touched on the kind of claim that should elicit suspicion, that being that unqualified claim that the Wordfence Security plugin “stops you from getting hacked”. As we found when dealing with a website hacked due to a widely exploited vulnerability it didn’t protect the website (that is far from the first time we have seen it fail to stop a hack).

Making such a claim and not actually accomplishing that looks worse when you go to their homepage and see the first thing shown is an advertisement for them doing hack cleanups: [Read more]