On Sunday we had probing on our website for usage of the plugin WP Security Audit Log, which has 80,000+ installs according to wordpress.org, from what looked to be hackers. Considering that plugin is known to vulnerable we didn’t further check in to what was going on, which was a mistake, but one that other monitoring we do allowed us to rectify today.
Last week, after running across a couple of PHP object injection vulnerabilities in the plugin WP GDPR Compliance we started looking into making an improvement of detection of that type of issue in our automated tool for detecting possible security issues in WordPress plugins, the Plugin Security Checker. As part of doing that we did some checks over the 1,000 most popular WordPress plugins to get a better idea of usage of code of similar code there might be out there. That led to us finding an authenticated PHP object injection vulnerability in the security plugin WP Security Audit Log, which has 70,000+ active installations according to wordpress.org.
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
When it comes to the poor state web security a big culprit is security companies, who don’t seem to either know or care that that much about security in many cases. So it isn’t wasn’t that surprising that we found a security company would have a WordPress plugin with a security vulnerability due to failure to take a basic security measure the other day, but the situation is a good reminder that services you get from security companies are not also honestly sold.