Login

WPScan News

4 Nov 2024

Automattic’s WPScan Is Violating the Rules of the CVE Program With Advance Custom Fields “Vulnerability”

As if there were not enough issue with what Automattic has done related to WP Engine’s Advanced Custom Fields, they are also violating the rules of the CVE program. As CVE’s website puts it, “The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.” Through their WPScan subsidiary, Automattic are able to issues CVE ID as CVE Numbering Authority (CNA). That seems like a bad idea, based on their track record of inaccurate and false claims of vulnerabilities, but CVE has been very clear that they don’t care about the accuracy of their data. The rules of their program do require that within 72 hours issuers must publish records once they disclosed CVE IDs:

4.5.1.3 CNAs SHOULD publish a CVE Record to the CVE List within 24 hours of Publicly Disclosing a CVE ID assigned by the CNA. CNAs MAY publish or update CVE Records as part of the CNA’s processes to manage Vulnerability advisories or other public information that references the CVE ID. [Read more]

21 Oct 2024

Automattic Deleted Blog Post Praising WP Engine, Where WP Engine’s VP of Security Admitted to Not Doing Basic Due Diligence

One question that has come up a lot recently when the situation with Matt Mullenweg and WP Engine, is who is the bad guy? Considering that Matt Mullenweg is engaged in a now very public extortion campaign against WP Engine, they are clearly a victim. But that doesn’t mean they are good guys. Sometimes they are the bad guys alongside Matt Mulleweg’s company Automattic.

In July of last year, we covered a situation where WP Engine was falsely claiming that a popular WordPress plugin contained a vulnerability. (Because everything is related, the developer of that plugin has become another victim of the current mess.) The cause of the false claim was that WP Engine didn’t actually vet vulnerability claims. Instead, they used a source well-known to not be a reliable source, WPScan. WPScan is owned by Automattic. [Read more]

18 Oct 2024

WordPress Plugin Vulnerability Data Providers Are Failing to Warn About Unfixed Vulnerability In WordPress’ Latest Canonical Plugin WPGraphQL

On Wednesday of last week, we posted that WordPress’ latest canonical plugin WPGraphQL contained a vulnerability because the developer had failed to update a third-party library included in the plugin in 18 months. We contacted the developer to alert them of that earlier the same day. We have yet to hear back from them and the plugin, as well as two other plugins from the same developer with the same issue, has yet to have a new version released to fix the vulnerability. We asked WordPress if they were going to take over the plugin like they did Advance Custom Fields to address that. We haven’t received any response.

Our customers have been warned about that vulnerability, but those relying on other providers for WordPress plugin vulnerability data are still in the dark. Those getting data from provider other than us are almost always ultimately getting it from one of three providers. One is owned by Automattic, which is the new employer of the developer of WPGraphQL. That provider, WPScan, isn’t warning about this: [Read more]

11 Sep 2024

WordPress Continues to Fail to Properly Address Malicious Code Loaded on Thousands of Websites

In December 2022, an update was released for the WordPress plugin Bulk Delete Comments, which caused a JavaScript file with malicious code from a website to be loaded on to the admin area of websites using the plugin. That was immediately noticed by users of the plugin. The plugin was subsequently closed on the WordPress Plugin Directory. The plugin was recently reopened without the issue being properly resolved. The situation highlights multiple known problems that are not being addressed by WordPress.

The update that introduced the issue was version 1.4, and that is still the version available now: [Read more]

7 Aug 2024

Hacker Tried to Exploit Our Website Based on Fake Vulnerability Claim From Patchstack

One differentiation between our WordPress firewall plugin and other firewall plugins is that we try to provide users with a good understanding of the risk posed by attacks, instead of scaring people unnecessarily. That issue with lack of respect for users from other providers extends to other areas, particularly with false claims that other WordPress plugins contain vulnerabilities. Those two issues came together recently, when we were checking on a hacker’s attempt to exploit a vulnerability on our own website.

In August of last year, Patchstack claimed that there had been a vulnerability in the WordPress plugin Stock Ticker. They claimed it was “moderately dangerous” and “expected to become exploited:” [Read more]

24 May 2024

CleanTalk Makes Up “Critical” Vulnerability in 100,000+ Install WordPress Plugin

WordPress security providers frequently falsely claim that popular WordPress plugins contain serious vulnerabilities that don’t really exist. One repeat source of those claims is CleanTalk. They recently claimed that the plugin Social Icons Widget & Block by WPZOOM, which has 100,000+ installs, contained “[a] critical security vulnerability” and the “vulnerability exposes websites to the risk of Stored Cross-Site Scripting (XSS) attacks, potentially leading to account takeover and compromising website integrity”. They also claimed that “if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back.” In reality, the “attacker” would already have to have complete control of the website and would already be allowed by WordPress to do what is supposed to be the vulnerability.

One critical element in determining the severity of a vulnerability, or if there is even a vulnerability, is what level of access is needed to exploit it. For example, if you need an account on the website, that would usually stop an attacker from exploiting the vulnerability. What is supposed to be the proof of concept for this lacks clear information to determine what level of access is needed, as it states: [Read more]

13 May 2024

Numerous Security Providers Fail to Catch That WP Engine Didn’t Fix Vulnerability in 100,000+ Install WordPress Plugin

When it comes to the very common occurrence of vulnerabilities in WordPress plugins failing to really be fixed, many providers are often involved in that failure. That is the case with a recently disclosed vulnerability in the 100,000+ install plugin Genesis Blocks.

That plugin comes from WP Engine, which markets itself as having a dedicated security team, though, one that keeps “your website vulnerabilities up to date” instead of fixing them: [Read more]

2 May 2024

Automattic’s WPScan Falsely Claimed that Automattic’s WooCommerce Contained Vulnerability

In January, we looked into a mess caused by the WordPress security provider Wordfence falsely claiming that the plugin WooCommerce had contained a vulnerability. That was caused in part by Wordfence failing to do basic vetting, which they claim to do. Another provider, Patchstack had similarly false claimed that WooCommerce contained that vulnerability. Belatedly, WPScan, which, like WooCommerce, is owned by Automattic, made the same claim. They provided a proof of concept that was supposed to show the exploitation:

[Read more]

29 Apr 2024

Automattic’s WPScan Falsely Claims That WordPress Plugin Contained Serious Vulnerability

While reviewing a recent hacker attempt to try to exploit a vulnerability in a WordPress plugin, which was stopped by our own firewall plugin, we found that Automattic’s WPScan had falsely claimed that a WordPress plugin contained a serious vulnerability.

Here was the logging for when the attempt that was stopped: [Read more]

13 Feb 2024

Hacker Likely Targeting This Incompletely Fixed Authenticated Plugin Installation Vulnerability in WordPress Plugin NextMove Lite

Today we saw a hacker probing for usage of the WordPress plugin NextMove Lite on our websites with the following request:

/wp-content/plugins/woo-thank-you-page-nextmove-lite/assets/css/xlwcty-public-rest.css [Read more]