Login

Wordfence News

9 Feb 2024

How Our Customers Helped Make WordPress Plugins More Secure, Week of February 9

Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better understand what is going on and how signing up for our service can help to expand that work.

Vulnerability in WordPress Hosting Benchmark tool Partially Fixed

Last week, we reached out to the developer of the WordPress plugin WordPress Hosting Benchmark tool to let them know that an attempt to fix a vulnerability in their plugin had failed and that the vulnerability was more severe than they claimed. The miss-identification of the issue looks to be caused in part by a competitor of ours, Patchstack, not properly reviewing a claim they received of a vulnerability in the plugin (which is a common occurrence). We looked in to that because at least one of our customers was using the plugin. [Read more]

5 Feb 2024

Wordfence Claims It Is a Vulnerability For Users With the unfiltered_html Capability to Use Unfiltered HTML

As we warned our customers on Friday, the latest version of the WordPress plugin Easy Digital Downloads incompletely fixed a vulnerability. That is something we ran across while preparing to see if another security fix made in it fixed a vulnerability. That same day, Wordfence claimed that the version had fixed what they labeled as an “Authenticated(Shop Manager+) Stored Cross-Site Scripting via variable pricing options” vulnerability and described this way:

The Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the variable pricing option title in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manger-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. [Read more]

5 Feb 2024

WordPress Security Providers Falsely Claimed Cloudflare’s Plugin Contained Vulnerability

It would be rather notable if the 200,000+ install WordPress plugin from the security provider Cloudflare contained a vulnerability. And that was just the claim made recently by a couple of WordPress security providers. Here was one of them, Patchstack, describing the claimed vulnerability:

An unknown person discovered and reported this Sensitive Data Exposure vulnerability in WordPress CloudFlare Plugin. This vulnerability has been fixed in version 4.12.3. [Read more]

2 Feb 2024

Bug Introduced in WordPress 6.4.3 Highlights a Problem With Fixing Vulnerabilities That Are Not Really Vulnerabilities

The latest version of WordPress, 6.4.3, has created a lot of headaches for the WordPress community, as installing plugins by uploading most zipped copies of plugins that have been compressed on Macs are not working (and possibly zipped in some other situations). That is caused by fixing a vulnerability that was described in the release announcement as “a PHP File Upload bypass via Plugin Installer (requiring admin privileges).” That description isn’t clear, but seems rather odd. WordPress’ plugin installer intentionally allows uploading PHP files. It couldn’t work otherwise, as a WordPress plugin needs at least one PHP file. So how is this a vulnerability? It really isn’t.

So WordPress developers were fixing a vulnerability that really wasn’t a vulnerability and creating new problems. That seems like a bad trade to make. That is a larger problem than just this issue with WordPress. This often also occurs with WordPress plugins these days, when competitors of ours falsely claim there are vulnerabilities similar to the issue here and create unneeded headaches for others. [Read more]

30 Jan 2024

Hacker Targeting Incompletely Fixed Vulnerability in 100,000+ Install WordPress Plugin Cookie Information

Earlier today, we had an apparent hacker probing our website to see if we were using the WordPress plugin Cookie Information with this request:

/wp-content/plugins/wp-gdpr-compliance/Assets/js/front.min.js [Read more]

29 Jan 2024

Wordfence Claims Unfixed WordPress Plugin Vulnerability Has Been Fixed in Version That Doesn’t Even Exist

Having accurate data on vulnerabilities in WordPress plugins is important. Lots of people trust one provider of WordPress plugin vulnerability data, Wordfence. It seems like their data should be trusted considering the CEO of Wordfence, Mark Maunder, has claimed their data is “impeccable”. Contrary to his claim, just very recently, we have run across them claiming that unfixed vulnerabilities have been fixed, claiming that a vulnerability that never existed was fixed in a certain version it definitely wasn’t, and claiming that a WordPress Administrator doing something that WordPress explicitly allows Administrators to do is a vulnerability. And we just ran across another strange false claim while trying to figure out an odd action by the team running the WordPress Plugin Directory.

Late last week, Wordfence claimed that a vulnerability in a plugin used on 80,000+ websites had been fixed: [Read more]

26 Jan 2024

Wordfence is Claiming It Is a Critical Vulnerability for WordPress Administrators to Upload Arbitrary Files

Recently someone left a message on the support forum of the WordPress plugin WP Child Theme Generator writing about their concern about continuing to use the plugin based on Wordfence claiming it contains a “critical vulnerability:”

This critical vulnerability has me worried. It keeps coming up in my Wordfence scans. I’m thinking about deactivating and deleting this plugin for now (at least until it’s patched). [Read more]

22 Jan 2024

Many CVE Records Are Listing the Wrong Versions of Software as Being Affected

A couple of weeks ago, the Bleeping Computer ran a story claiming that over 150,000 websites were vulnerable due to a vulnerability that had been in a WordPress plugin. That count was based in part in believing that all previous versions of the plugin were vulnerable:

The issue impacts all versions of the plugin up to 2.8.7 [Read more]

19 Jan 2024

Eight Months In, Really Simple SSL’s Plugin Vulnerability Data is Claiming That Unfixed Vulnerabilities Have Been Fixed

In May of last year, the 5+ million install WordPress plugin Really Simple SSL added a feature for detection of known vulnerabilities in WordPress plugins. That seems to be unrelated to what is supposed to be the focus on the plugin. A WP Tavern story about that provided an explanation from the developer on why that should be in this plugin:

“We figured that with our reach we could impact security on the web as a whole, by adding features in order of impact on security,” Hulsebos said. “So vulnerabilities, after hardening features specific to WordPress, was next. [Read more]

17 Jan 2024

Wordfence Is Warning That Vulnerabilities Are Critical When They Are Not

Whether intentionally or not, part of the business model of the developer of the Wordfence Security plugin involves scaring people in to buying their services by overstating the risk posed by security issues. The overstated risk was on display in the last week with a false claim of “critical” vulnerability in the current version of WooCommerce.

As we noted yesterday, Wordfence had claimed that there was a vulnerability in a version of WooCommerce, which they later admitted didn’t contain the vulnerability. This was caused in part by them not actually checking on a patch they claim had been released in a certain version. There wasn’t a patch. Even after admitting that mistake, they still didn’t check to see if there really was a vulnerability. Instead, they, for some reason, thought that WooCommerce’s developer claiming that they had addressed the “potential for” a vulnerability, meant there was a vulnerability. There wasn’t a vulnerability. Only the potential for one, as WooCommerce’s developer had clearly stated. [Read more]