In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.
This post provides the details of a vulnerability in the WordPress plugin WP Editor not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.
When it comes to open source software one of the ideas is that by having the source code available then the software is more secure since you are not relying on only the developer of the software to have reviewed the code. So how does that match up with the security of WordPress plugins? A recent security situation we ran into with the plugin WP Editor seems to indicate that it isn’t working that way.
A couple of weeks ago we started seeing requests for a file from the plugin WP Editor and suspected that the requests were from someone looking for website using the plugin, to exploit some vulnerability in the plugin. After seeing that we starting trying to figure out what the hacker was hoping to exploit, so that we could make it was in our data set.
The security vulnerabilities we previously disclosed in WP Editor have now been fixed in version 1.2.6, hopefully those or something else fixed in that version was what hackers are trying to exploit. While looking around for other security issues in plugin we found another vulnerability that had existed in 188.8.131.52 and all version below, which was fixed in 1.2.6 as well.
As discussed in the more detail in the post for the other vulnerability we found in the WP Editor plugin, we recently started seeing requests for a file in this plugin on one of our websites and we believe that it was checking for use of the plugin before exploiting it. After seeing that we started checking for vulnerabilities.
To stay on top of vulnerabilities in WordPress plugin for you, we monitor a number of different sources. One of them is hacking attempts on our websites, which mostly identifies fairly old vulnerabilities that we haven’t yet included in our data. In the case of a one vulnerability from back in 2012 we discovered that the vulnerability had never been fixed and was still in the Plugin Directory. Yesterday that monitoring lead us to seeing evidence that the WP Editor plugin is being exploited and finding a couple of serious vulnerabilities that could be what they are exploiting.