Login

Wordfence News

16 Jan 2024

Wordfence Didn’t Make Sure Vulnerability in WooCommerce Had Been Fixed (Or That It Even Existed)

Late last week, Wordfence created a mess by claiming there was an unfixed vulnerability in WooCommerce. What that situation showed is they are not doing the work that people clearly believe they are doing. That includes not checking if vulnerabilities have actually been fixed or if they even existed, before widely making claims about supposed vulnerabilities. We will get in to more detail about that in a few moments, but first we will take a look at a couple of other recent examples, which show that wasn’t a one-off fluke.

We should note at the outset that the CEO of Wordfence, Mark Maunder, recently claimed their “data is impeccable” when we brought up the well-known problems with it. [Read more]

5 Jan 2024

Hackers Relying on WordPress Security Providers’ Information to Target Vulnerabilities in WordPress Plugins

Today, we had a hacker try to exploit a vulnerability recently fixed in the WordPress plugin WP Compress on our website. In looking into that, we found another instance where it looks like hackers are relying on information coming from WordPress security providers to determine what vulnerabilities to target.

In the logging for our own firewall plugin, it showed an attack blocked for this URL, /wp-content/plugins/wp-compress-image-optimizer/fixCss.php?css=wp-content/../wp-config.php: [Read more]

3 Jan 2024

Wordfence Premium Adding Firewall Rules for Vulnerabilities in Under 10 Plugins a Month

It’s common for critics of the Wordfence Security plugin to claim it isn’t useful unless you are using the companion Wordfence Premium service because new rules for the firewall are only provided to paying customers for the first 30 days after they are created, so free users won’t be protected against getting hacked. Like so much security advice, that isn’t backed with evidence supporting it. There turn out to be multiple serious problems with that claim.

One problem being that the plugin provides a fair amount of protection through what we refer to as general protection, which doesn’t require a rule written for a specific vulnerability. It doesn’t provide as much as the best WordPress firewall plugins do, though. [Read more]

21 Dec 2023

Hacker Tries to Exploit Fake Vulnerability 11 Years After It Was Falsely Claimed to Exist

One method we have for monitoring what vulnerabilities in WordPress plugins hackers are trying to exploit, is allowing users of our firewall plugin to report hacking attempts blocked by our firewall that we haven’t already logged as being known about. Part of what that is showing is that hackers are trying to exploit falsely claim vulnerabilities that are really old. One of those involved a plugin named YouSayToo auto-publishing plugin, which was closed on the WordPress Plugin Directory so long ago the date it was closed isn’t even listed. The plugin was last updated 12 years ago. Here was the exploit attempt sent to a customer’s website:

/wp-content/plugins/yousaytoo-auto-publishing-plugin/yousaytoo.php?submit=</script><script>alert(document.domain)</script> [Read more]

15 Dec 2023

Wordfence Call CSRF Vulnerabilities “Low Risk” While Criticizing Competitor After Previously Calling Them “High Severity”

Recently, the CEO of the WordPress security provider Wordfence, Mark Maunder, was criticizing a competitor over a bug bounty program that caused cross-site request forgery (CSRF) vulnerabilities to be found, while he was promoting Wordfence’s own bug bounty program. He said that an “extremely high number of low risk and low quality vulnerabilities [are] being submitted to databases like Patchstack” and specifically cited CSRF vulnerabilities as example of that, “vulnerabilities that involve a Cross-Site Request Forgery are an example of this.” What shouldn’t be surprising to others in the WordPress security space who have the misfortune of running across this guy, he was criticizing someone else for something his own company has done.

It’s absolutely true that CSRF is a low-risk issue. That involves causing someone else to take an action they are allowed to do, but didn’t intend to. For example, if there is a reset capability for a plugin’s settings that lacks CSRF protection, getting someone to click a link you generated while they are logged in to WordPress could cause the settings to be reset. While it is possible that this could be being used in targeted attacks, we are not aware of anyone even claiming that it is being used on a wider scale. Considering how often there are false claims about types of attacks happening, that strongly suggests that this issue isn’t something that is happening at any scale. [Read more]

12 Dec 2023

Wordfence Security Still More Than Doubles Peak Memory Usage Over WordPress By Itself

In October 2021, we found that the Wordfence Security plugin for WordPress more than double the peak memory usage over WordPress by itself. That compared to a minimal memory increase by the two WordPress firewall plugins that provided more protection than it. Those two plugins also had a significantly smaller performance penalty than Wordfence Security. It obviously is a bad tradeoff to get less protection for more memory usage and a higher performance penalty.

In discussing that memory usage, we quoted a Wordfence employee that had claimed that they are “constantly working on making the plugin” “use less resources”. That certainly sounds impressive, but Wordfence has a long track record of impressive claims that turn out to not be true. It also doesn’t make sense. You can’t constantly do that. You should hit a point where you can’t do anymore. The changelog for the plugin doesn’t have entries that suggest that is true either. [Read more]

7 Dec 2023

Digging In To The Authenticated Arbitrary File Upload Vulnerability in Elementor

Yesterday, an update was released for the 5+ million install WordPress plugin Elementor that has a changelog suggesting a security issue was addressed, “Fix: Improved code security enforcement in File Upload mechanism.” While looking into this, we found that Elementor appears to have multiple issues. We found the plugin did have an arbitrary file upload vulnerability, which you could argue is now fixed or not. Based on what we know now, we would say it is fixed, but there is still insecurity that remains, but there may be something we are missing. (Update 12/8: Elementor has released a second fix to address the remaining insecurity.) As we have been saying since April, we would recommend not using plugins from Elementor based on repeated incidents of poor security handling.

Other Providers’ Claims

It appears based on that changelog, the WordPress security provider Wordfence claimed there was a fixed or unfixed authenticated (Contributor+) arbitrary file upload to remote code execution via template import vulnerability in the plugin, which they described this way: [Read more]

6 Dec 2023

Contrary to Claims by Patchstack and Wordfence the Gutenberg Plugin Doesn’t Contain an Authenticated XSS Vulnerability

Recently there have been conversations popping up over a claim made by the WordPress security provider Wordfence that claims the Gutenberg plugin contains an authenticated persistent cross-site scripting (XSS) vulnerability. On Reddit there were a couple of recent conversations, where unsurprisingly, there wasn’t helpful information being provided. Things have been slightly better on the WordPress support forum for the plugin, but still you had alarmist information. One topic is titled, “Security breach and vulnerability in all versions.” Wordfence in turn, is citing Patchstack when making this claim. The reality is that there isn’t a vulnerability, something the WordPress security team told the original source of the claim, but which Wordfence and Patchstack have ignored.

While Wordfence and Patchstack are both claiming that this is an issue with the Gutenberg plugin, that isn’t what the original source they are citing says. Their post is titled
“CVE-2022-33994:- Stored XSS in WordPress” and they start it this way: [Read more]

6 Dec 2023

Wordfence’s “Highly Credentialed and Industry-Leading Vulnerability Researchers and Analysts” Don’t Understand Local File Inclusion

Last week we noted how the WordPress security provider Wordfence was criticizing another provider of WordPress plugin vulnerability data for doing something they also do. That situation involved them mislabeling a security issue as a vulnerability in the very popular Contact Form 7 plugin. But another piece of that contradicts yet another claim they make.

While marketing their data, they make this claim: [Read more]

5 Dec 2023

Wordfence Premium Added “Real-Time Firewall Protection” for Plugin Vulnerability Over Two Months After It Was Disclosed

In the middle of August, we publicly warned that the WordPress plugin WooODT Lite contained an authenticated option update vulnerability, which would allow logged-in attackers to change arbitrary WordPress options (settings). The possibility of the vulnerability was flagged by proactive monitoring we have to try to catch serious vulnerabilities as they are introduced in to plugins. It wasn’t a new issue, though. It had been in the plugin’s code for 13 months.

Based on earlier testing, two WordPress security plugins could have protected against common exploitation of that type of vulnerability even before we had warned about it. Those were our own Plugin Vulnerabilities Firewall and NinjaFirewall. [Read more]