Login

Wordfence News

22 Aug 2016

Wordfence Doesn’t Bother to Look Into Basic Details of Vulnerable Plugins While Claiming to Protect Against Their Vulnerabilities

When it comes to improving the security of WordPress plugins we think that one of things that is needed is a better quality information on the issue. If decisions are being made based on low quality information, then the issues that need to be focused are unlikely to get the focus they need. One of the problems with getting such information that is that much of the information out there comes from security companies, who in many cases know little more than the public. The average person is unlikely to know that because it is easy to sound like you know what you are talking about, without actually having much of a clue what you are talking about.

One good example of this is the WordPress security company Wordfence, that, at best, is not very knowledgable of security. From falsely claiming that brute force attacks are happening against WordPress admin passwords (while promoting that they will protect agains these non-existent attacks), confusing advisories on vulnerabilities with evidence of exploits occurring, and what will be relevant with the rest of this post, claiming that vulnerabilities in plugins have been fixed without checking if that was actually the case. [Read more]

28 Jul 2016

Protecting You Against Wordfence’s Bad Practices: Reflected Cross-Site Scripting (XSS) Vulnerability in Easy Forms for MailChimp

Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause.

Wordfence didn’t provide any description of the vulnerability beyond that it was a reflected cross-site scripting (XSS) vulnerability in Easy Forms for MailChimp version 6.1.2, but it was easy to spot with just that information. [Read more]

18 Jul 2016

Wordfence’s Firewall Doesn’t Protect Against a Real World Unauthenticated Stored XSS Vulnerability

At the end of last month we wrote a post about our finding that despite Wordfence’s unqualified claim that their plugin’s firewall protects against stored XSS (or what we refer to as persistent cross-site scripting (XSS)) that it did not protect against a real world vulnerability. After we posted that we though that maybe the vulnerability we used for the test wasn’t totally fair, since it required the exploiter to be logged in (or authenticated) to WordPress. Wordfence doesn’t seem to think that matters much, seeing as how the have frequently left out the detail that a vulnerability is only exploitable when logged in when disclosing them. But seeing as it severely limits the amount of website that are impacted (since many don’t allow people that are not trusted to have account), we wanted to run another test on a vulnerability that didn’t have that limitation.

The same day we put up that post, we notified the developer the security plugin Total Security that we had found a persistent cross-site scripting (XSS) vulnerability in their plugin. In the case of this vulnerability you do not need to be logged in to exploit the vulnerability, the only limitation is that the 404 Log feature needs to be enabled. Due to another security vulnerability in that plugin, anyone can change the plugin’s settings, so they could enable that feature themselves and then exploit the other vulnerability. [Read more]

13 Jul 2016

Protecting You Against Wordfence’s Bad Practices: XSS Vulnerability in All in One SEO Pack

Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause.

The latest in our ongoing series of putting out the details of details of vulnerabilities discovered by Wordfence is good example of why what Wordfence is doing is hurting the security of WordPress plugins. In this case they saw a report of  a persistent cross-site scripting (XSS) vulnerability in the plugin All in One SEO Pack and discovered a similar vulnerability, which is something that often happens we security researchers see reports of vulnerabilities in plugins. The difference is that with that report, like other reports by responsible parties, it included the details of the vulnerabilities, so it was easy for Wordfence to see what the issue was in that case. By Wordfence excluding those details it makes it harder to do the same with vulnerabilities that they have discovered, but through our work on this we have already found two additional security vulnerabilities in the Yoast SEO plugin and one in the WP Fastest Cache plugin. [Read more]

12 Jul 2016

Wordfence Spreading False Information on All in One SEO Pack Vulnerability

When it comes to improving WordPress security one of the things that we think is needed is better information, unfortunately we often see security companies being the ones pushing false information out there. We just ran across yet another example of this coming from the folks at Wordfence, which we though is important to point out, since they are trying to get people to share their “post with the larger WordPress community to create awareness of this security issue”, which we hope people don’t do since they are pushing out false information.

On Sunday a persistent cross-site scripting (XSS) vulnerability that existed in some versions of the All in One SEO Pack plugin was disclosed. The vulnerability was fixed in version 2.3.7, which was released on Friday. The same day we added it to our data set, so if you use our service and hadn’t already updated the plugin (you can use our Automatic Plugin Updates plugin to have plugin updates applied automatically), you would have been notified then. [Read more]

11 Jul 2016

Wordfence Is Either Providing Bad Information Or Taking Credit For Vulnerabilities Someone Else Discovered

From what we have seen recently, the Wordfence company has a habit of saying things that are not true, from claiming a WordPress plugin vulnerability had been fixed when it wasn’t, to claiming their Real-Time Threat Defense Feed has “unmatched access to information about how hackers compromise sites” while not detecting vulnerabilities being exploited in the current version of plugins that we easily detected, to claiming that their firewall provides blanket protection against persistent cross-site scripting (XSS) while not actually catching real world exploit attempts. With noticing all that in just the past few weeks the latest situation isn’t all that surprising, but is worth noting, since at best they are putting out bad information and at worst they are trying to credit for discovering vulnerabilities in a plugin that had already been fixed when they claimed to have contacted the developer about them.

On July 6 Wordfence posted about three vulnerabilities they had discovered in the WP Maintenance Mode. They claimed that version 2.0.7 “included fixes for 3 security vulnerabilities”, and the title of the post indicates that the vulnerabilities existed in “2.0.6 and older”. The post also states that they “notified the plugin author last week”, which would mean that they notified the developer on June 26 at the earliest. [Read more]

11 Jul 2016

Protecting You Against Wordfence’s Bad Practices: Remote Code Execution (RCE) Vulnerability in WP Maintenance Mode

Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause.

Wordfence describes the remote code execution (RCE) vulnerability in WP Maintenance Mode version 2.0.6 as “allows unsanitized user input to be evaluated as PHP code. In WordPress Multisite, a site administrator could exploit this vulnerability to execute shell commands, access sensitive information, escalate privileges or cause denial of service”. [Read more]

11 Jul 2016

Protecting You Against Wordfence’s Bad Practices: Missing Authorization Vulnerability in WP Maintenance Mode

Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause.

Wordfence describes the missing authorization vulnerability in WP Maintenance Mode version 2.0.6 as “This vulnerability allows an attacker with a subscriber level account to modify plugin settings.”. [Read more]

11 Jul 2016

Protecting You Against Wordfence’s Bad Practices: Information Disclosure Vulnerability in WP Maintenance Mode

Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause.

Wordfence describes the information disclosure vulnerability in WP Maintenance Mode version 2.0.6 as “allows a remote attacker to download the list of subscribers from WP Maintenance Mode who have asked to be notified when a site returns to full functionality. To exploit this vulnerability, an attacker simply needs to have a registered account on the victim site with no special permissions.”. [Read more]

30 Jun 2016

Wordfence’s Firewall Doesn’t Protect Against a Real World Stored XSS Vulnerability

Last week we wrote a couple of posts about Wordfence, the second one was based on a claim we noticed while working on the first. That leads to this post, which is based on a claim we saw while working on the second post.

In a post about vulnerability in a plugin from earlier this month (in which the discoverer of the vulnerability conspicuously wasn’t mentioned) Wordfence said people using their product were already protected against that vulnerability “because Wordfence has built in protection against stored XSS attacks”. That unqualified claim that there product can protect against such a broad type of vulnerability doesn’t sound like something you would hear from a responsible security company and when it comes to this type of vulnerability, which we refer to as persistent cross-site scripting (XSS), it sounded unbelievable. [Read more]