Login

Wordfence News

2 Oct 2023

Patchstack, Wordfence, and Developer Make Mess of Minor Vulnerability in 100,000+ Install WordPress Plugin

On Friday, the 100,000+ install WordPress plugin Optimize Database after Deleting Revisions was closed on the WordPress Plugin Directory without any explanation. The lack of explanation isn’t helpful for users of the plugin. A likely explanation of this is a mess related to a minor security vulnerability in the plugin. That vulnerability has been poorly handled by the Patchstack, which started things, as well as Wordfence and the developer of the plugin.

Users of the plugin have been left without clear information on what is going on with the vulnerability claim for months, which hopefully can clear up. [Read more]

27 Sep 2023

Hacker Targeted WordPress Plugin Still in Plugin Directory Despite Publicly Disclosed Unfixed SQL Injection Vulnerability

On Saturday we had what appeared to be a hacker probing for usage of the WordPress plugin WP Job Portal on our website. That plugin is available in the WordPress Plugin Directory and has 3,000+ active installations according to WordPress’ data. An explanation for that hacker targeting could be that WPScan was claiming that there is an unfixed SQL injection vulnerability in the plugin.

As of Saturday, the only information WPScan provided was this vague description of the issue “The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users”.  Without more information it would be difficult for anyone else to confirm their claim. They also stated that a proof of concept for the vulnerability would “be displayed on September 26, 2023, to give users the time to update.” Considering they were also claiming that this wasn’t fixed, there wouldn’t be any update to apply. So something seems amiss there. [Read more]

18 Sep 2023

Hacker Likely Targeting Unfixed Vulnerability in WordPress Plugin Mislabeled as Much Less Serious Vulnerability by Patchstack and Wordfence

Over the weekend, we saw one of the usual hackers probing for usage of WordPress plugins, probing for usage a plugin named Export Import Menus. That plugin was closed on the WordPress Plugin Directory on September 12, with no explanation for the closure. Before it was closed, WordPress listed it as having 10,000+ active installs. Upon seeing that, what we needed to figure out is what a hacker might be interested in exploiting in that and is that an already known issue. These days, hackers often target vulnerabilities being disclosed by other plugin vulnerability data providers. There was a recently disclosed vulnerability in the plugin, but one that wouldn’t be of much interest to hackers. With further checking, we found the vulnerability is actually much more serious than was claimed by other providers and would likely be a target for hackers.

If the team running the WordPress Plugin Directory had known about the severity of the vulnerability, they could and should have pushed out a fix for the vulnerability before a hacker started targeting the plugin. They also could have forced out an update to address it. Fixing it enough to prevent exploitation would have been very easy. It only takes two lines, which we show below. With the inaccurate information provided by other providers, though they wouldn’t know that this was a serious issue. [Read more]

24 Aug 2023

Wordfence Claims to Own WordPress.org, Abusing DMCA Takedowns to Cover Up Coverage of Their Repeated Inaccuracies

Dealing with the security of WordPress plugins, we see a lot of the bad parts of the WordPress business space. Plugin developers making extraordinary claims about their handling of security, while not even doing the basics isn’t uncommon. Much worse are security providers, who, for example, frequently are lying about what their products and service actually deliver (sometimes while lying about what other providers are offering). One of those providers, Wordfence, has taken things to a new low. They have filed bad faith DMCA takedown requests with Google to get accurate, but critical information about them removed from Google’s search results. Which we know about because they came after us.

A DMCA takedown request is legitimately used to deal with copyright infringement. It also is frequently abused to try to silence criticism, as is the case here. [Read more]

22 Aug 2023

Wordfence Intelligence (and Possibly WordPress) Mishandled Unfixed Vulnerabilities in WordPress Plugin

Earlier today, we warned our customers about unfixed vulnerabilities in a WordPress plugin named Posts Like Dislike. We ran across those vulnerabilities as at least one of our customers was using the plugin and the changelog for the latest version of the plugin stated that a security issue had been fixed. Following that, we checked to see if competing data providers had also spotted that. What we found was a mess involving at least Wordfence Intelligence and possibly WordPress as well.

The latest version of Post Like Dislike added a nonce check, which prevents cross-site request forgery (CSRF), to code for resetting the plugin’s settings. The WordPress documentation for nonces is clear that is not to be used for access control: [Read more]

27 Jul 2023

Wordfence Has Also Been Falsely Claiming That WordPress Plugins Contain Vulnerabilities

Yesterday and today we have been documenting an absolute mess in the WordPress security space. The developer of the Freemius library, which is widely used in WordPress plugins, was warned by us in February of last year of a security issue (there multiple issues, some of which they resolved at the time), which they didn’t fix at the time and instead lied about us. Recently, they finally addressed it (with another security provider taking credit for discovering the issue). That was bad, but where things got a lot worse is that various security providers and their clients have been falsely claiming that WordPress plugins were still vulnerable due to this. In some cases, the plugins had already updated Freemius weeks ago to fix this and in others, the plugins didn’t even contain the library. So far, we have documented instances involving Patchstack, iThemes Security, WP Engine, WPScan, and Really Simple SSL. Considering their track record, it isn’t surprising that Wordfence was also a part of this.

Wordfence provides inaccurate plugin vulnerability data that is available to others and is also utilized by their very popular Wordfence Security Plugin. [Read more]

20 Jul 2023

Wordfence Falsely Claims It Has to Rely on Inaccurate Plugin Vulnerability Data from Patchstack

On an unfortunately too regular basis, we are finding that vulnerabilities that were supposed to be fixed in plugins being used by our customers haven’t been fully fixed and in some cases haven’t been fixed at all. That is the case with a vulnerability that was recently supposed to have been fixed in the 200,000+ install plugin Ultimate Member. In looking into that, we ran across several other problems involving competing data providers that are not being honest about their data and its sourcing.

In our recent monitoring of possible discussions about plugin vulnerabilities in the WordPress Support Forum, we have seen a Wordfence employee claiming that Wordfence doesn’t have control over their own plugin vulnerability data. Here was one instance of that: [Read more]

19 Jul 2023

Wordfence Doesn’t Admit That WordPress Had Already Provided Protection for “Massive Exploit Campaign” Before Them

Where WordPress firewall plugins are really useful is for providing protection before a vulnerability is known about, as at that point they can offer protection that other solutions can’t. That was on display with a recent widely exploited zero-day that web application firewalls (WAFs) didn’t protect against, but two firewall plugins did.

Notably, though, the most popular WordPress firewall plugin Wordfence Security didn’t provide protection in that situation. That is a reoccurring situation. That isn’t surprising considering that the business model associated with the plugin is based on selling firewall rules for vulnerabilities once they are already known about (and more troublingly selling hack cleanups despite claiming their firewall “stops you from getting hacked”). If they provided the type of protection the two best firewall plugins do, it would largely remove the need for those rules. Incredibly, they refer to their belated rule based protection in their Wordfence Premium service as being “real-time” protection. [Read more]

30 Jun 2023

NinjaFirewall and Plugin Vulnerabilities Firewall Are Only WordPress Security Plugins That Protected Against Recent Zero Day

Among the common, but inaccurate, security advice you will hear is that WordPress won’t get hacked if you take basic security measures, including keeping plugins up to date. While doing the basics is really important, the reality is that keeping plugins up to date does nothing to stop a zero-day, a vulnerability being exploited before the developer is aware of it. That is an area where a security plugin could provide additional protection. But just because they could, it doesn’t mean they will. More problematically, WordPress security plugin developers have for years claimed to provide zero-day protection when they don’t. The solution is to do testing to see which plugins really provide protection against zero-days.

Recently, a zero-day role change vulnerability in the 200,000+ install WordPress plugin Ultimate Member was spotted being exploited by the web host Tiger Technologies. That vulnerability was being exploited to create a new WordPress user and then change the user’s role to Administrator, which gives them full access to the website. [Read more]

29 Jun 2023

Inaccurate Claims About Security Impact of Changing WordPress Database Prefix Highlighted With Exploited Zero Day

A basic rule of security is that if you know a lot, you don’t know much. Those knowledgeable about security try to be careful about what they say, as they realize they might not know everything. A lot of WordPress security providers don’t have much knowledge and therefore don’t understand how little they know, leading to unqualified and inaccurate security advice that gets repeated widely without much pushback.

One example of that is with claims that changing the WordPress database prefix has no impact on security. Here was how a new entrant in the WordPress security space, Snicco, put that, while criticizing other security providers: [Read more]