WPScan

6 Dec 2022

WPScan’s Dedicated Team of Security Experts Are Actually Random Unpaid People on the Internet

Last week we discussed an example of WordPress security providers often make marketing claims that don’t match up with what they deliver involving Patchstack, but they are certainly not alone in that. We ran across another example of that involving WPScan and a claimed vulnerability in a plugin used by at least one of our customers.

WPScan markets their service with a claim that they have a “dedicated team of WordPress security experts” and that they are “continually monitoring the web for new vulnerabilities”, but if you look at their blog, they tell a different story. At the end of September, they wrote a post titled “Writing Good Submissions“. In that, they partially gave away what they are really doing, which is getting other people to do their work for them: [Read more]

29 Nov 2022

WordPress Plugin Returns to Plugin Directory Without Vulnerability Being Resolved

Currently, in our dataset of vulnerabilities in WordPress plugins, there are plugins with at least 8.16 million active installs that are still available through the WordPress Plugin Directory despite the plugins being known to contain security vulnerabilities. That is a big problem. But what causes it?

Part of the problem is that plugins with known vulnerabilities get pulled from the Plugin Directory, but get returned without the vulnerabilities actually being fixed. That is the case with the plugin previously known as WooCommerce Fraud Prevention Plugin and now renamed Fraud Prevention For Woocommerce. [Read more]

28 Nov 2022

WordPress Security Providers Not Warning About Likely Targeted Unfixed Vulnerability in WordPress Plugin

During the weekend, third-party data we monitor recorded what appeared to be a hacker probing for usage of the WordPress plugin ContentStudio. The requests are looking for the plugin’s readme.txt file:

/wp-content/plugins/contentstudio/readme.txt [Read more]

25 Nov 2022

Not Really a WordPress Plugin Vulnerability, Week of November 25

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ Blind SSRF in Post SMTP

Automattic’s WPScan claimed an admin+ blind SSRF vulnerability had existed in Post SMTP. The description doesn’t make sense: [Read more]

17 Nov 2022

CVE’s CNA Program Is Causing Them to Fail in Their Stated Mission

The CVE program, which claims to be sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) (we tried to confirm that with CISA, but got no reply), is supposed to provide a unique identifier for vulnerabilities:

The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. [Read more]

3 Nov 2022

If WPScan Isn’t Reporting a Vulnerability in a WordPress Plugin It Doesn’t Mean It Doesn’t Exist

Recently WordPress changed their policy on discussing vulnerabilities in plugins on their forum, that is leading to public discussions of the kind that we are frequently party to in private. Among the issues that we have run across are plugin developers claiming that there isn’t a vulnerability in their plugin, because a data provider isn’t mentioning it. You can see that with a public discussion involving a claim from one of those data providers, Patchstack, that there is a vulnerability in the current version of a plugin.

The response from the developer to that claim was this: [Read more]

1 Nov 2022

Automattic’s WPScan Failed to Catch That WordPress VIP’s Co-Authors Plus Plugin is Still Disclosing Email Addresses

During the summer, one arm of the company closely associated with WordPress, Automattic, WPScan disclosed a vulnerability in plugin, Co-Authors Plus, maintained by another arm of Automattic. WPScan and others in Automattic appear to have failed to look all that closely at the issue, as the plugin still has a closely related vulnerability.

According to the documentation for the plugin, it is maintained by WordPress VIP: [Read more]

19 Oct 2022

iThemes Security Pro is Providing Customers Inaccurate Information on Vulnerabilities in WordPress Plugins

A reoccurring issue we see with information on vulnerabilities in WordPress plugins is that inaccurate information is being provided to webmaster’s and then the sources of that inaccurate information are not the ones having to deal with the fallout of that. Take this recent forum topic for the plugin Advanced Contact Form 7 DB (Advanced CF7 DB) , which included a message coming from the paid iThemes Security Pro service claiming that there was a “known” vulnerability in the latest version of the plugin, version 1.9.1. Here is the message:

SEPT 30: Known issues in Advanced Contact form 7 DB v1.9.1 [Read more]

14 Oct 2022

Not Really a WordPress Plugin Vulnerability, Week of October 14

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ PHP Objection Injection in Ninja Forms

Automattic’s WPScan claimed there was an admin+ PHP objection injection vulnerability in Ninja Forms. Presumably they were trying to refer to “PHP object injection”. They explained it this way: [Read more]

13 Oct 2022

Automattic’s WPScan Still Isn’t Verifying Claimed Vulnerabilities Despite Stating Otherwise

Automattic’s WPScan recently claimed there was an admin+ arbitrary file access vulnerability in WPForms Lite. The entry claimed they had verified the vulnerability:

[Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

WPScan News