Login

Wordfence News

9 Jun 2023

Automattic’s WPScan, Wordfence, and Patchstack Don’t Appear to Have a Basic Grasp of What Vulnerabilities Are

Recently Automattic’s WPScan claimed that there had been what is normally a fairly serious type of vulnerability in a WordPress plugin. That being, as they put it, an “unauthenticated stored XSS” vulnerability or, as we would put it, a persistent cross-site scripting (XSS) vulnerability. That would allow an attacker not logged in to WordPress to cause JavaScript code they crafted to run for other visitors of the website. Depending on where that would run, that could, among other things, be used to cause malware to be included on front end pages of the website or code that causes users logged in to WordPress as Administrators to take action they didn’t want to happen. Both of those are things that hackers have been known to try to do on a wide scale.

Here is their description of the issue: [Read more]

15 May 2023

Wordfence Intelligence Vulnerability Database is Still Falsely Claiming Vulnerabilities Have Been Fixed

In reviewing changes being made to WordPress plugins used by our customers that are supposed to fix vulnerabilities, we often find that the vulnerabilities haven’t actually been fixed. Telling our customers that vulnerabilities have been fixed when we don’t actually know if they have been fixed would be unethical, but that is what we keep finding another provider, Wordfence, is doing with their Wordfence Intelligence Vulnerability Database. On their homepage, Wordfence call themselves the “Global Leaders in WordPress Security” and say you should trust them because of that. It’s unclear what would make someone the global leaders in WordPress security, but we can say they can’t be trusted whether they are the global leaders or not, as what we found below shows.

The changelog for the latest version of the WordPress plugin Simple Calendar claimed that a vulnerability was fixed in the plugin: [Read more]

1 May 2023

Wordfence Security Returns to Third Place in May Test of WordPress Security Plugins’ Zero-Day Protection

While developing our WordPress firewall plugin, we created regression testing software to make sure that, as we updated that; we didn’t break existing protection, which is something at least one other developer hasn’t done. What we realized once we started developing that is that we could also use that to do automated testing to get a sense of how much protection other WordPress security plugins provided against zero-days, which are vulnerabilities being exploited before the developer knows about them. In May of last year, we started doing a monthly run of that against a wide range of plugins to start tracking how their protection changed over time. So far there have been a limited number of changes in the results and changes in the ranking of how much protection the plugins provide. This month we did see a change in the rankings involving the most popular plugin tested.

Up through November, the most popular security-only WordPress plugin Wordfence Security had been coming in third in terms of how much protection it offered in the tests. The next month it slipped to fourth and had remained there except in February when it dropped to fifth. This month it returned to third place. It still lags far behind our plugin and NinjaFirewall, which provided protection against 37.28% of the tests versus Wordfence security’s 21.89%. That is a stark difference, especially when you consider that NinjaFirewall only has 90,000+ installs according to WordPress stats versus Wordfence Security’s 4+ million. [Read more]

28 Apr 2023

Not Really a WordPress Plugin Vulnerability, Week of April 28

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Authenticated (Administrator+) SQL Injection via ‘replace_urls’ in Elementor

Yesterday, we issued an advisory warning about using plugins developed by Elementor, in part based on a security issue we found still is in the plugin. We found that while reviewing a security change being made in the latest version of the plugin. Wordfence claimed that the change fixed a vulnerability: [Read more]

25 Apr 2023

Wordfence Security Improperly Blocks WordPress Users From Uploading Files

When considering WordPress firewall plugins, it is important to consider not only the protection they can provide, but also whether they cause unnecessary problems. On both counts, the most popular security-only WordPress plugin, Wordfence Security, does worse than other options. As an example of the latter element of that, recently someone reported having functionality of their website not work with Wordfence Security enabled:

We upload our newsletter HTML to the media library for distribution. [Read more]

20 Apr 2023

Hacker Targeting Unfixed WordPress Plugin Vulnerability That CVE and Others Claim Has Been Fixed

For some time, we have been seeing a hacker probing for the usage of various WordPress plugins with known vulnerabilities across numerous websites. Earlier this month, we noted that the hacker was targeting a plugin that had an unfixed known vulnerability and that the plugin had remained in the WordPress Plugin Directory despite that. That isn’t a one-off issue. Today we saw the same hacker probing for usage of the ReviewX plugin, which is still in the plugin directory. That isn’t a surprise, as the plugin has recently had an authenticated SQL injection vulnerability disclosed. More problematically, as we warned about two weeks ago, it was incorrectly claimed to have been fixed.

In our previous post, we noted that the incorrect claim that this had been fixed had been included in the CVE system, which is funded by the US government. CVE is a system that is treated as a reliable and notable source of information on vulnerabilities, for reasons we can’t understand. In reality, they allow just about anyone to add data to the system and there isn’t a functioning system to make sure it is accurate. With this vulnerability, we reported that the information was incorrect to the company that put the information into the CVE system, but it hasn’t been corrected. Here is the current state of the entry, still claiming that this affected versions before 1.6.4: [Read more]

10 Apr 2023

Wordfence’s Idea of Responsible Disclosure Involves Leaving Very Vulnerable Plugins in WordPress Plugin Directory

A week ago, we wrote about how a WordPress plugin being targeted by a hacker had remained in the WordPress Plugin Directory despite having an unfixed vulnerability that hackers would target. We had noted that the WordPress security provider Wordfence had known about the vulnerability, but hadn’t made sure the plugin was removed. While checking into a claimed vulnerability to add it to our data set, we found another instance of that, which is more troubling.

In February, a Wordfence employee named Chloe Chamberland wrote a strange post on Wordfence’s blog that claimed in the headline, “the WordPress ecosystem is becoming more secure with responsible disclosure becoming More Common”. It is strange because the body of the post never mentions the phrase responsible disclosure or makes any mention of it. Instead, the author seems to be trying to suggest that doing something other than responsible disclosure is responsible disclosure. Responsible disclosure involves notifying a developer of a vulnerability and giving them a chance to resolve it, before notifying anyone else. The post is actually suggesting directing reporting of vulnerabilities in WordPress plugins away from the developers and WordPress: [Read more]

3 Apr 2023

WordPress Plugin With Unfixed Vulnerability Targeted by Hacker Remains in Plugin Directory

For some time, we have been seeing a hacker probing for the usage of various WordPress plugins with known vulnerabilities across numerous websites. Many of those vulnerabilities have been SQL injection vulnerabilities. Over the weekend we saw them looking for usage of the WordPress plugin Gift Voucher. That isn’t surprising considering that there is an unfixed SQL injection vulnerability that was publicly disclosed by Tenable on March 22. What is surprising is that the plugin is still available in the WordPress Plugin Directory as of now:

[Read more]

16 Mar 2023

Our Firewall Plugin Caught That Jetpack’s “Internal Audit” of Slimstat Analytics Missed That Vulnerability Still Exists

Recently Automattic’s Jetpack claimed to have done an “internal audit” of the WordPress plugin Slimstat Analytics and found an authenticated SQL injection vulnerability that was subsequently fixed. We don’t know what an internal audit is supposed to be, but they failed to fully test or check over the vulnerable code and the authenticated SQL injection vulnerability still exists (which isn’t that surprising, considering the discoverer is a former employee of Sucuri). They also missed another security issue in the relevant code, which helped lead to the vulnerability still existing. Interestingly, an in development feature of our firewall plugin caught that the issue hadn’t been fully resolved.

Another Automattic unit, WPScan, also missed that this wasn’t fully resolved: [Read more]

15 Mar 2023

Patchstack is Falsely Claiming a “High Severity” Vulnerability Exists in a WP Plugin Based on Inaccurately Copied Info From Wordfence

Providing accurate information on vulnerabilities in WordPress plugins can require a lot of work, but doing the work avoids causing false alarms for users of plugins and for the developers of them. Unfortunately, security companies can cut corners, claim to do things they don’t, and still get treated as if their information is reliable. Patchstack is a prime example of that, they run with wildly inaccurate information, as we will get to the latest example of in a second, but get promoted in the WordPress space, by the likes of the WP Tavern (which refused to run a reply refuting information in the linked post).

One of the things we do to keep track of vulnerabilities in WordPress plugins for our customers is monitoring for relevant topics on the WordPress Support Forum. That sometimes leads to us finding that hackers are exploiting an unfixed vulnerability, and it often leads to us seeing how much inaccurate information is being spread by other providers. [Read more]