Login

WPScan News

5 Sep 2023

WordPress Enterprise Agencies Own Guide Suggest Their Security Handling is Not Extremely Vigilant and Highly Competent

Last week, we wrote about how a group of WordPress agencies had released a guide for promoting WordPress to enterprises had provided a misleading view of the security of WordPress. The information provided also suggest they might not have a great grasp of security either. One paragraph in particular stood out, which suggests they are not handling security for their customers well. Under the heading “Enterprise expertise” they wrote this:

Combined, these issues might suggest that WordPress security is lacking, however for large- scale brands that simply isn’t the case. In addition to utilising specialist tools that mitigate the vast majority of security challenges – such as WPScan which quickly flags up vulnerabilities -enterprise agencies are extremely vigilant and highly competent when it comes to protecting clients and site users. [Read more]

22 Aug 2023

Wordfence Intelligence (and Possibly WordPress) Mishandled Unfixed Vulnerabilities in WordPress Plugin

Earlier today, we warned our customers about unfixed vulnerabilities in a WordPress plugin named Posts Like Dislike. We ran across those vulnerabilities as at least one of our customers was using the plugin and the changelog for the latest version of the plugin stated that a security issue had been fixed. Following that, we checked to see if competing data providers had also spotted that. What we found was a mess involving at least Wordfence Intelligence and possibly WordPress as well.

The latest version of Post Like Dislike added a nonce check, which prevents cross-site request forgery (CSRF), to code for resetting the plugin’s settings. The WordPress documentation for nonces is clear that is not to be used for access control: [Read more]

26 Jul 2023

WP Engine Sending Out Emails Falsely Claiming Popular WordPress Plugins Contain Unfixed Vulnerabilities

Earlier today, we covered how Patchstack and their partners have been falsely claiming that WordPress plugins contain vulnerabilities caused by usage of an outdated version of the Freemius library. They have been joined in that by WP Engine and Automattic owned WPScan.

Here is an example of that email sent out for the 100,000+ install plugin Pods: [Read more]

12 Jul 2023

Snicco Falsely Claiming Competing WordPress Security Plugins Contain Vulnerabilities

Yesterday, the WPTavern ran a story with the headline “MalCare, Blogvault, and WPRemote Plugins Patch Vulnerabilities Allowing Site Takeover Through Stolen API Credentials” despite there not being a vulnerability. Instead, a competitor named Snicco had been successful in getting themselves press coverage with a false claim of a vulnerability in competing WordPress security plugins. Making the whole situation more unseemly, Snicco cites a situation that in reality highlights that not only does their very expensive plugin not deliver the claimed results but also that they appear to lack basic security knowledge.

WordPress Firewall Plugins Can Provide Unique Protection

That situation cited by Snicco involved a authenticated option update vulnerability that was widely exploited earlier this year, which had been in the WordPress plugin Elementor Pro. That vulnerability, like previously disclosed vulnerabilities of that type, was exploited to create new WordPress accounts with the Administrator role. There were a number of key takeaways from that situation that highlight issue with the security of WordPress websites and how that can be improved. [Read more]

7 Jul 2023

Patchstack Claims to Be Security Point of Contact for WordPress Plugin It Made Up Vulnerability About

Recently Automattic’s WPScan claimed that the WordPress plugin Scripts n Styles had contained an admin+ stored XSS vulnerability that they explained this way:

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) [Read more]

9 Jun 2023

Automattic’s WPScan, Wordfence, and Patchstack Don’t Appear to Have a Basic Grasp of What Vulnerabilities Are

Recently Automattic’s WPScan claimed that there had been what is normally a fairly serious type of vulnerability in a WordPress plugin. That being, as they put it, an “unauthenticated stored XSS” vulnerability or, as we would put it, a persistent cross-site scripting (XSS) vulnerability. That would allow an attacker not logged in to WordPress to cause JavaScript code they crafted to run for other visitors of the website. Depending on where that would run, that could, among other things, be used to cause malware to be included on front end pages of the website or code that causes users logged in to WordPress as Administrators to take action they didn’t want to happen. Both of those are things that hackers have been known to try to do on a wide scale.

Here is their description of the issue: [Read more]

20 Apr 2023

Hacker Targeting Unfixed WordPress Plugin Vulnerability That CVE and Others Claim Has Been Fixed

For some time, we have been seeing a hacker probing for the usage of various WordPress plugins with known vulnerabilities across numerous websites. Earlier this month, we noted that the hacker was targeting a plugin that had an unfixed known vulnerability and that the plugin had remained in the WordPress Plugin Directory despite that. That isn’t a one-off issue. Today we saw the same hacker probing for usage of the ReviewX plugin, which is still in the plugin directory. That isn’t a surprise, as the plugin has recently had an authenticated SQL injection vulnerability disclosed. More problematically, as we warned about two weeks ago, it was incorrectly claimed to have been fixed.

In our previous post, we noted that the incorrect claim that this had been fixed had been included in the CVE system, which is funded by the US government. CVE is a system that is treated as a reliable and notable source of information on vulnerabilities, for reasons we can’t understand. In reality, they allow just about anyone to add data to the system and there isn’t a functioning system to make sure it is accurate. With this vulnerability, we reported that the information was incorrect to the company that put the information into the CVE system, but it hasn’t been corrected. Here is the current state of the entry, still claiming that this affected versions before 1.6.4: [Read more]

10 Apr 2023

Wordfence’s Idea of Responsible Disclosure Involves Leaving Very Vulnerable Plugins in WordPress Plugin Directory

A week ago, we wrote about how a WordPress plugin being targeted by a hacker had remained in the WordPress Plugin Directory despite having an unfixed vulnerability that hackers would target. We had noted that the WordPress security provider Wordfence had known about the vulnerability, but hadn’t made sure the plugin was removed. While checking into a claimed vulnerability to add it to our data set, we found another instance of that, which is more troubling.

In February, a Wordfence employee named Chloe Chamberland wrote a strange post on Wordfence’s blog that claimed in the headline, “the WordPress ecosystem is becoming more secure with responsible disclosure becoming More Common”. It is strange because the body of the post never mentions the phrase responsible disclosure or makes any mention of it. Instead, the author seems to be trying to suggest that doing something other than responsible disclosure is responsible disclosure. Responsible disclosure involves notifying a developer of a vulnerability and giving them a chance to resolve it, before notifying anyone else. The post is actually suggesting directing reporting of vulnerabilities in WordPress plugins away from the developers and WordPress: [Read more]

5 Apr 2023

Our Firewall Plugin Caught That SQL Injection Vulnerability Tenable Discovered Hasn’t Actually Been Fixed

Last month, security provider Tenable claimed that an authenticated SQL injection vulnerability had existed in the WordPress plugin ReviewX and was fixed in version 1.6.4. It turns out the vulnerability hasn’t been fixed.

The CVE system allowed Tenable to create a CVE ID for this, CVE-2023-26325, and didn’t check to make sure the claims were accurate [Read more]

3 Apr 2023

WordPress Plugin With Unfixed Vulnerability Targeted by Hacker Remains in Plugin Directory

For some time, we have been seeing a hacker probing for the usage of various WordPress plugins with known vulnerabilities across numerous websites. Many of those vulnerabilities have been SQL injection vulnerabilities. Over the weekend we saw them looking for usage of the WordPress plugin Gift Voucher. That isn’t surprising considering that there is an unfixed SQL injection vulnerability that was publicly disclosed by Tenable on March 22. What is surprising is that the plugin is still available in the WordPress Plugin Directory as of now:

[Read more]