Login

Wordfence News

7 Apr 2025

Actual Accident Leads to Unfixed Vulnerability Hacker is Likely Trying to Exploit in WordPress Plugin

On Friday we looked at a vulnerability likely being exploited in a WordPress plugin, where there is a fix, but WordPress hasn’t made it available. Like that situation, we had what appears to be a hacker probing for usage of the plugin Front End Users over the weekend by requesting the readme.txt file for the plugin. Like that previous situation, the plugin is closed on the WordPress plugin directory:

[Read more]

4 Apr 2025

Hacker Probing for WordPress Plugin That Wordfence Exposed Critical Vulnerability in Without Making Sure Fix Is Available

Yesterday, we had what would appear to be a hacker probing for usage of the WordPress plugin Checkout Mestres WP on our website by requesting the readme.txt file for it like this:

/wp-content/plugins/checkout-mestres-wp/readme.txt [Read more]

14 Feb 2025

Hacker Probing For WordPress Plugin With Many Vulnerabilities That Wordfence and Other Providers Incorrectly Claimed Were Fixed Last Year

Today we saw what appeared to be a hacker probing for usage of the WordPress plugin WP Compress on our websites. The probing was done by requesting a file from the plugin if the plugin had existed on our website, /wp-content/plugins/wp-compress-image-optimizer/readme.txt. We don’t use that plugin on that website or any of them. So what might explain a hacker’s interest in the plugin? Last year the WordPress security provider Wordfence claimed that a vulnerability had been fixed in the plugin, of a type that sounds like it could explain a hacker’s interest. Here is part of their description:

This makes it possible for authenticated attackers, with subscriber-level permissions and above, to edit plugin settings, including storing cross-site scripting, in multisite environments. [Read more]

31 Jan 2025

WordPress (and Open Source In General) Have a Big Problem With a Lack of Vulnerability Transparency

Looking back at some things while preparing a post about a WordPress security provider misleading people about the European Union’s Cyber Resilience Act, we ran across a letter that was put out by WordPress and several other open source CMS. In that they made this claim about fixing potential vulnerabilities in open source code:

Tens of thousands of developers are empowered to identify and fix potential vulnerabilities, because all FOSS code is made publicly available — unlike proprietary software code that is kept secret. [Read more]

16 Dec 2024

Wordfence and WPScan Falsely Claim Closed WordPress Plugin Contains Serious Vulnerability

We are currently looking in to yet another problem with handling of security by Awesome Motive and the Security Reviewer from the WordPress Plugin Review Team. In doing that, we ran across another example of the incredible sloppy work done by prominent providers of data on vulnerabilities in WordPress plugins.

In January, the WordPress plugin SimpleMap Store Locator was closed on the WordPress Plugin Directory for an unspecified “security issue.” [Read more]

9 Dec 2024

Wordfence and “News” Outlets Recommend Updating WordPress Plugin to Version Still Known to be Vulnerable

What we see over and over is that WordPress security providers and supposed journalists are focused on getting themselves attention while failing to provide useful information that would make WordPress websites more secure. A recent example involved (once again) Wordfence. As usual, they were using a vulnerability in a plugin to promote themselves:

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as these vulnerabilities pose a significant risk. [Read more]

21 Nov 2024

WordPress All-In-One Security and 2FA Plugins Can Get Your Website Hacked

A major source of security vulnerabilities in WordPress websites is insecure WordPress plugins. In response to that, far too many WordPress security providers push installing more plugins instead of taking steps to actually fix the insecurity of plugins. You will often see them pushing all-in-one security plugins and plugins to add two-factor authentication (2FA) despite the lack of protection they often offer and the security issues they can introduce. A prime offender in doing that is Wordfence. In the face of that leading to a serious problem recently, they didn’t change course. Instead, they used it to market themselves. Before we get in to that, we will take a step back to our warnings last year about a popular security plugin.

Back in 2017, we did a security review of a plugin named Really Simple SSL and found no issues with what checking on at that time. Last year the plugin was radically changed to move away from a focus on providing really simple SSL, to being an all-in one security plugin. Alongside that, the developer showed a clear lack of concern for security. As we wrote about in July of last year, they were falsely claiming that plugins contained vulnerabilities because they were using a known unreliable source for vulnerability data. They didn’t address that by moving to a reliable source and in January we noted a much more concerning situation, where they were falsely claiming unfixed vulnerabilities had been fixed. [Read more]

13 Nov 2024

WP Engine Failed to Vet Security of Plugin Acquired This Year or Fix Vulnerability in It Once It Was Reported to Them

When it comes to whether Matt Mullenweg or WP Engine are the bad guys in the recent, the reality is that they both have played a decidedly harmful role in the security of WordPress plugins. Sometimes that comes from them working together. Last year, we noted that WP Engine was falsely claiming that a popular WordPress plugin contained a security vulnerabilities. That was caused by them using a known unreliable source of vulnerabilities, WPScan. Incredibly, WP Engine’s VP of security admitted earlier in the year they haven’t done due diligence with WPScan’s data:

We know that there are other options out there, but given the sense of completeness and alerts for ALL relevant plugins, we never had a need to go crosscheck WPScan against anyone else. [Read more]

12 Nov 2024

A WordPress Plugin Vulnerability Might Have a Fix Even if Security Providers Say That One Doesn’t Exist

Last week, we had someone contact us about addressing an unfixed vulnerability in a WordPress plugin. In taking a quick look at that, we found the vulnerability had been fixed over three years ago. So why was this person asking about that now? Well, it turned out in part, that the security provider Patchstack, as is often the case, didn’t vet the information they simply copied from another provider.

Based on the name they used for the vulnerability, we could determine that Patchstack is the original source for this person’s information. Whether they got it directly from Patchstack or from someone in turn using their data, we don’t know. If you look at Patchstack’s listing for the relevant vulnerability, they don’t provide even basic information about the vulnerability. But they did say that it hadn’t been fixed and was in version 4.7 of the plugin. [Read more]

18 Oct 2024

WordPress Plugin Vulnerability Data Providers Are Failing to Warn About Unfixed Vulnerability In WordPress’ Latest Canonical Plugin WPGraphQL

On Wednesday of last week, we posted that WordPress’ latest canonical plugin WPGraphQL contained a vulnerability because the developer had failed to update a third-party library included in the plugin in 18 months. We contacted the developer to alert them of that earlier the same day. We have yet to hear back from them and the plugin, as well as two other plugins from the same developer with the same issue, has yet to have a new version released to fix the vulnerability. We asked WordPress if they were going to take over the plugin like they did Advance Custom Fields to address that. We haven’t received any response.

Our customers have been warned about that vulnerability, but those relying on other providers for WordPress plugin vulnerability data are still in the dark. Those getting data from provider other than us are almost always ultimately getting it from one of three providers. One is owned by Automattic, which is the new employer of the developer of WPGraphQL. That provider, WPScan, isn’t warning about this: [Read more]