Login

WPScan News

9 Feb 2024

How Our Customers Helped Make WordPress Plugins More Secure, Week of February 9

Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better understand what is going on and how signing up for our service can help to expand that work.

Vulnerability in WordPress Hosting Benchmark tool Partially Fixed

Last week, we reached out to the developer of the WordPress plugin WordPress Hosting Benchmark tool to let them know that an attempt to fix a vulnerability in their plugin had failed and that the vulnerability was more severe than they claimed. The miss-identification of the issue looks to be caused in part by a competitor of ours, Patchstack, not properly reviewing a claim they received of a vulnerability in the plugin (which is a common occurrence). We looked in to that because at least one of our customers was using the plugin. [Read more]

5 Feb 2024

Wordfence Claims It Is a Vulnerability For Users With the unfiltered_html Capability to Use Unfiltered HTML

As we warned our customers on Friday, the latest version of the WordPress plugin Easy Digital Downloads incompletely fixed a vulnerability. That is something we ran across while preparing to see if another security fix made in it fixed a vulnerability. That same day, Wordfence claimed that the version had fixed what they labeled as an “Authenticated(Shop Manager+) Stored Cross-Site Scripting via variable pricing options” vulnerability and described this way:

The Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the variable pricing option title in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manger-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. [Read more]

25 Jan 2024

WPScan Still Isn’t Making Sure That “Fixed” WordPress Plugin Vulnerabilities Have Actually Been Fixed

WordPress plugin developers are not always great about actually fixing vulnerabilities in their plugins. That problem is on display with the 300,000+ install plugin PDF Invoices & Packing Slips for WooCommerce. As we warned our customers on January 11, the developer had attempted to fix a vulnerability in the latest version, but had failed to accomplish that. We had also notified the developer of that problem and they prepared a fix the next day. The fix has yet to be released, though.

That sort of problem makes having accurate data about vulnerabilities in WordPress plugins important. That often isn’t what you get from data providers. Take WPScan, which markets itself on its homepage as being “like having your own team of WordPress security experts.” On January 20, they told their customers about this vulnerability and said it was a high severity vulnerability. The big problem with their information is that they said it was fixed: [Read more]

22 Jan 2024

WordPress Plugin Developers Are Still Creating Vulnerabilities by Improperly Using the permission_callback for WordPress Rest API Endpoints

Back in November, the Automattic owned WPScan claimed there had been a vulnerability in a plugin that extends the very popular ecommerce plugin WooCommerce, which is also owned by Automattic. WPScan only got around to releasing any information about the claimed vulnerability this month. When we went to check on that, we found that the relevant code is still vulnerable, though less vulnerable than it was before. If the developer of the plugin was properly implementing the built-in security when using WordPress’ REST API they wouldn’t still have the vulnerability.

We are now four years in with the REST API being available in WordPress, but plugin developers are still not implementing a basic security element it introduced correctly. So it seems worth going through what is going wrong and how it can be fairly easily be fixed. [Read more]

5 Jan 2024

Hackers Relying on WordPress Security Providers’ Information to Target Vulnerabilities in WordPress Plugins

Today, we had a hacker try to exploit a vulnerability recently fixed in the WordPress plugin WP Compress on our website. In looking into that, we found another instance where it looks like hackers are relying on information coming from WordPress security providers to determine what vulnerabilities to target.

In the logging for our own firewall plugin, it showed an attack blocked for this URL, /wp-content/plugins/wp-compress-image-optimizer/fixCss.php?css=wp-content/../wp-config.php: [Read more]

21 Dec 2023

Hacker Tries to Exploit Fake Vulnerability 11 Years After It Was Falsely Claimed to Exist

One method we have for monitoring what vulnerabilities in WordPress plugins hackers are trying to exploit, is allowing users of our firewall plugin to report hacking attempts blocked by our firewall that we haven’t already logged as being known about. Part of what that is showing is that hackers are trying to exploit falsely claim vulnerabilities that are really old. One of those involved a plugin named YouSayToo auto-publishing plugin, which was closed on the WordPress Plugin Directory so long ago the date it was closed isn’t even listed. The plugin was last updated 12 years ago. Here was the exploit attempt sent to a customer’s website:

/wp-content/plugins/yousaytoo-auto-publishing-plugin/yousaytoo.php?submit=</script><script>alert(document.domain)</script> [Read more]

5 Oct 2023

The WordPress Function sanitize_text_field() Isn’t Always Enough Security to Protect Against XSS

The Automattic owned WPScan recently claimed a serious persistent cross-site scripting (XSS) vulnerability had been in a WordPress plugin and had been fixed. Their report lacked the kind of information that would be needed to easily recheck things. What was included didn’t seem promising. For example, they misspelled the word unauthenticated as “Unauthitncated”, which a spellchecker would have caught. Checking over things, we found the vulnerability did exist, but was incompletely fixed and is still exploitable. WPScan claims to have a “dedicated team of WordPress security experts”, so either there is widespread misunderstanding of a basic element of securing a WordPress plugin or they don’t really have that team. Assuming the former, let’s look at what they and the developer got wrong involving usage a WordPress security function sanitize_text_field().

(Two other providers, Patchstack and Wordfence, who also claim to have experts generating their data, are also claiming this has been fixed despite the incomplete fix.) [Read more]

27 Sep 2023

Hacker Targeted WordPress Plugin Still in Plugin Directory Despite Publicly Disclosed Unfixed SQL Injection Vulnerability

On Saturday we had what appeared to be a hacker probing for usage of the WordPress plugin WP Job Portal on our website. That plugin is available in the WordPress Plugin Directory and has 3,000+ active installations according to WordPress’ data. An explanation for that hacker targeting could be that WPScan was claiming that there is an unfixed SQL injection vulnerability in the plugin.

As of Saturday, the only information WPScan provided was this vague description of the issue “The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users”.  Without more information it would be difficult for anyone else to confirm their claim. They also stated that a proof of concept for the vulnerability would “be displayed on September 26, 2023, to give users the time to update.” Considering they were also claiming that this wasn’t fixed, there wouldn’t be any update to apply. So something seems amiss there. [Read more]

14 Sep 2023

Automattic Reintroduced Security Vulnerability Into WooCommerce, Their WPScan Missed That

Automattic is the company from the head of WordPress, Matt Mullenweg. Among its operations, it sells access to (often inaccurate) information on vulnerabilities in WordPress plugins through WPScan. Earlier this week WPScan added an entry for a claimed vulnerability in Automattic’s WooCommerce plugin, which has 5+ million installs according to WordPress’ data. They claimed the vulnerability had been fixed in version 7.0.1:

[Read more]

8 Sep 2023

Plugin That is Part of Patchstack’s Vulnerability Disclosure Program (VDP) Still Contains Publicly Disclosed SQL Injection Issue

Often when we review claims about vulnerabilities in WordPress plugins, we find that the issues have only been partially addressed. That is the case with a vulnerability in the plugin POST SMTP, which has 300,000+ installs. The plugin vulnerability data provider WPScan released a rather vague report about a vulnerability in that in June. It lacks a lot of information, like what the vulnerable code is or how it was fixed. It does contain this note:

Note: The AJAX actions are also affected by SQL injections, making the issue easier to exploit by being able to choose which email to resend, for example the latest email related to a password reset [Read more]