Login

WPScan News

23 Mar 2023

Let’s Learn From WordPress Security Provider Automattic’s Incredibly Insecure Code in WooCommerce Payments

It’s a bad look when a major WordPress security provider is disclosing that one of their own plugins has a serious security issue, which happened six months ago with the developer of iThemes Security. It’s even worse when the code is so insecure, which was also the case with iThemes. Automattic, the company of the head of WordPress Matt Mullenweg, which provides security solutions under brands including WPScan and Jetpack, today fixed a serious vulnerability in one of their plugins. That this happened runs counter to the view we see often that Automattic are security experts, but in line with previous security issues with their software. Unlike the situation with iThemes, though, this isn’t known to be a zero-day (a vulnerability being exploited before the developer knows about it) and doesn’t involve a security failure at such a basic level. It does involve having incredibly insecure code running in a situation that is high risk.

With that said, this situation could be used as impetus to finally move WordPress plugin security to a better place. But first, let’s look at what went wrong here. [Read more]

16 Mar 2023

Our Firewall Plugin Caught That Jetpack’s “Internal Audit” of Slimstat Analytics Missed That Vulnerability Still Exists

Recently Automattic’s Jetpack claimed to have done an “internal audit” of the WordPress plugin Slimstat Analytics and found an authenticated SQL injection vulnerability that was subsequently fixed. We don’t know what an internal audit is supposed to be, but they failed to fully test or check over the vulnerable code and the authenticated SQL injection vulnerability still exists (which isn’t that surprising, considering the discoverer is a former employee of Sucuri). They also missed another security issue in the relevant code, which helped lead to the vulnerability still existing. Interestingly, an in development feature of our firewall plugin caught that the issue hadn’t been fully resolved.

Another Automattic unit, WPScan, also missed that this wasn’t fully resolved: [Read more]

28 Feb 2023

You Need to Make Sure Proof of Concepts for Vulnerabilities in WordPress Plugins You Use Have Been Tested

Are you relying on a security provider to warn about vulnerabilities in WordPress plugins you use? Are you not testing out the proof of concepts for those vulnerabilities because the security provider claims they are verifying things for you or because you don’t have the capability to do that? If you answered yes to both of those, we have bad news for you, as many of those providers are not doing that testing either, leaving websites vulnerable running still vulnerable plugins and hackers with a info on how to exploit them. A recent example of that involves a plugin with 20,000+ installs where most data providers recently claimed that there was a known vulnerability in the plugin that had been fixed, despite the proof of concept contradicting that.

Here was the original source of the claim, Automattic’s WPScan, making it (and claiming they had verified their information): [Read more]

31 Jan 2023

Hacker Might Be Exploiting Unfixed Plugin Vulnerability That WPScan, Patchstack, and Wordfence All Claimed Was Fixed

In a now deleted review of the WordPress plugin Beautiful Cookie Consent Banner, someone made the claim that the plugin is insecure and leading to malware:

The plugin is full of malware. Check your source code and run a security check. If you have malware, its this plugin!!! [Read more]

30 Jan 2023

WordPress Security Community’s Poor Results on Display With Failed Fix of Vulnerability in 3+ Million Install Plugin MonsterInsights

A couple of weeks ago WordPress security provider WPScan, which is controlled by the head of WordPress Matt Mullenweg, claimed that an authenticated persistent cross-site scripting (XSS) vulnerability involving its Inline Popular Posts block had been fixed in the latest version, 8.12.1, of the 3+ million install plugin MonsterInsights:

[Read more]

5 Jan 2023

Providers of WordPress Plugin Vulnerability Data Not Actually Verifying if Vulnerabilities Are Fixed

Recently, three ostensibly competing data providers for information on vulnerabilities in WordPress plugins all claimed that a vulnerability had been fixed in a certain version of the plugin Super Socializer.

Here was WPScan, the original source for the claim: [Read more]

4 Jan 2023

Two Weeks Later WordPress Hasn’t Taken Action With WordPress Plugin That Loaded Malicious JavaScript

Anyone who has spent much time trying to use WordPress’ support forum and the connected plugin review system knows that the moderators of that often get in the way and causing unnecessary problems (as well other troubling behavior, including deleting unflattering information about a company they promote). At the same time, they don’t take action when there is something they could help with. That is the case involving the 8,000+ install WordPress plugin Bulk Delete Comments. Two weeks ago, a one-star review was left with a concerning claim:

This plugin might be hacked or it is shady on way or another because it have started to slow down wordpress when including a an inclusion of javascript located at: alishahalom.com [Read more]

15 Dec 2022

WPScan and Wordfence Intelligence Community Edition Providing Misleading Data on When Information Was Published

Trust is an important part of security, so it probably isn’t surprising that security is in such bad shape and that at the same time, security companies are so obviously dishonest so often. That is something we frequently run across in the WordPress security space, involving even the big name players. A couple of instances of that just came up involving vulnerability data provider presenting it as if they added information on vulnerabilities in a more timely manner than they really do.

WPScan

Automattic’s WPScan is claiming there is a known vulnerability in the latest version of WordPress. Though this would probably be better classified as a security issue. WPScan’s data says that the issue was “publicly published” and “added” two days ago: [Read more]

7 Dec 2022

Patchstack Isn’t Verifying Vulnerability Info Being Copied From WPScan’s Inaccurate Data

Yesterday, we noted that the WordPress security provider WPScan isn’t verifying claimed vulnerabilities being added to their data set, despite claiming to do just that. That came in the context of them claiming that there was a vulnerability in a plugin, where what they claimed was at issue wasn’t really a vulnerability, but there really was a more serious vulnerability. That wasn’t a one-off issue.

WPScan recently claimed that the plugin Popup Maker had contained an admin+ stored cross site scripting vulnerability, which they described this way: [Read more]