Login

Wordfence News

11 Sep 2024

WordPress Continues to Fail to Properly Address Malicious Code Loaded on Thousands of Websites

In December 2022, an update was released for the WordPress plugin Bulk Delete Comments, which caused a JavaScript file with malicious code from a website to be loaded on to the admin area of websites using the plugin. That was immediately noticed by users of the plugin. The plugin was subsequently closed on the WordPress Plugin Directory. The plugin was recently reopened without the issue being properly resolved. The situation highlights multiple known problems that are not being addressed by WordPress.

The update that introduced the issue was version 1.4, and that is still the version available now: [Read more]

3 Sep 2024

600,000+ Install WordPress Plugin MetaSlider Still Using Vulnerable Version of Library 17 Months Later

One of the expanding capabilities of our new Plugin Security Scorecard is the ability to identify software libraries included in WordPress plugins. From there, if there are known vulnerabilities in those libraries in the plugins, that can be warned about when plugins are graded. We can also go back and check if previous checks identified if plugins contained a vulnerable version of those libraries. As we found when adding a library to that checking last week, there is a need to better monitor this situation. That is because we found that a plugin with 600,000+ installs, MetaSlider, is still using a vulnerable version of the AppSero Client library. The vulnerability was fixed 17 months ago. We reached out the developer of that plugin last week as well. They said a fix will be included in the next release of the plugin, which they said might come out this week. (It hasn’t as of us publishing this post.)

The situation highlights other areas where security could be improved. [Read more]

27 Aug 2024

Wordfence Caused 18 Day Delay in Developer Being Notified of WordPress Plugin Vulnerability

One of the more troubling things going on with our competitors in providing information about vulnerabilities in WordPress plugins is how those security providers are trying to direct vulnerability reports about plugins away from developers to themselves. Among the problems with that, is it can lead to significant delays in developers getting informed of them. Here, for example, was the timeline that Wordfence disclosed for one recent instance of such redirection:

May 26, 2024 – We received the submission for the PHP Object Injection to Remote Code Execution vulnerability in GiveWP via the Wordfence Bug Bounty Program.
June 10, 2024 – We validated the report and confirmed the proof-of-concept exploit.
June 13, 2024 – We sent the full disclosure details to the vendor’s known email address. [Read more]

27 Aug 2024

Wordfence Security and Solid Security Developers Not Supporting Standard to Avoid Security Problem They Confronted

In a recent post on the WordPress security provider Wordfence’s blog, they were claiming their “mission is to Secure the Web.” If you understand their business model this rings hollows, as what they offer is built around trying to address the after affects of not securing the web. That very blog post also disputes that, as they confronted a well-known problem with better securing plugins and simply ignored the problem. They are not alone, as the situation detailed in the blog post also directly involves another security provider, StellarWP. StellarWP is the developer of Solid Security.

The blog post discusses a situation where Wordfence bought a vulnerability in another plugin from StellarWP, GiveWP. Twice in the post, they note that they failed to successfully communicate with StellarWP about that. First, they wrote this: [Read more]

23 Aug 2024

Unaddressed WordPress Security Issue Behind Recent “Critical” Vulnerability in 100,000+ Install Plugin

Earlier this week, the WordPress security provider Wordfence released a post about a claimed “critical” vulnerability found in a WordPress plugin with 100,000+ installs. In that post they made this claim:

Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. [Read more]

7 Aug 2024

Hacker Tried to Exploit Our Website Based on Fake Vulnerability Claim From Patchstack

One differentiation between our WordPress firewall plugin and other firewall plugins is that we try to provide users with a good understanding of the risk posed by attacks, instead of scaring people unnecessarily. That issue with lack of respect for users from other providers extends to other areas, particularly with false claims that other WordPress plugins contain vulnerabilities. Those two issues came together recently, when we were checking on a hacker’s attempt to exploit a vulnerability on our own website.

In August of last year, Patchstack claimed that there had been a vulnerability in the WordPress plugin Stock Ticker. They claimed it was “moderately dangerous” and “expected to become exploited:” [Read more]

10 Jul 2024

WordPress Plugin Developers Can Use security.txt Files to Aid in Getting Security Issues Reported to Them

In May, we found that numerous security providers had failed to catch that a vulnerability in the 100,000+ install WordPress plugin Genesis Block hadn’t been fully fixed. It was a good reminder of the importance of relying on vulnerability data that is actually vetted, which isn’t true for most sources. At the time, we had tried to contact the developer to let them know about the failure to fully fix this, but they didn’t provide a contact method to do that. We did find that the parent company of the developer, WP Engine, has a security page, but that doesn’t provide a contact method for non-customers to contact them. It directs customers to contact them through a general contact form. Both of those things are odd. It also mentioned a third-party vulnerability bug bounty program, which wouldn’t be relevant to address the issue we were trying to reach them about (and wouldn’t get us in touch with them).

The vulnerability has remained in the plugin since then. The plugin had remained in the WordPress Plugin Directory despite the plugin being publicly known to be vulnerable. That is, until two days ago, when it was closed on there: [Read more]

11 Jun 2024

Hacker Targeting Recently Incompletely Fixed Vulnerability in WordPress Plugin Icegram Express

Over the weekend, we had a hacker attempt to exploit a SQL injection vulnerability that turned out to be one fixed recently in the 90,000+ install WordPress plugin Icegram Express on our website. We don’t use the plugin, so the exploitation attempt appears to be part of an untargeted attempt to exploit this.

Upon reviewing the relevant code, we found that it still isn’t properly secured, and neither is other, similarly accessed, code. We have reached out to the developer about that. Based on the continued insecurity, we would recommend not using the plugin unless it has a more thorough security review and all the issues are addressed. [Read more]

13 May 2024

Numerous Security Providers Fail to Catch That WP Engine Didn’t Fix Vulnerability in 100,000+ Install WordPress Plugin

When it comes to the very common occurrence of vulnerabilities in WordPress plugins failing to really be fixed, many providers are often involved in that failure. That is the case with a recently disclosed vulnerability in the 100,000+ install plugin Genesis Blocks.

That plugin comes from WP Engine, which markets itself as having a dedicated security team, though, one that keeps “your website vulnerabilities up to date” instead of fixing them: [Read more]

13 Feb 2024

Hacker Likely Targeting This Incompletely Fixed Authenticated Plugin Installation Vulnerability in WordPress Plugin NextMove Lite

Today we saw a hacker probing for usage of the WordPress plugin NextMove Lite on our websites with the following request:

/wp-content/plugins/woo-thank-you-page-nextmove-lite/assets/css/xlwcty-public-rest.css [Read more]