Login

WPScan News

13 Oct 2022

Wordfence is Claiming That WordPress Plugin Has Vulnerability Despite Having No Idea if That is True

In our monitoring of the WordPress Support Forum for discussions possibly discussing WordPress plugin vulnerabilities, we have recently been seeing a lot of topics involving vague claims coming from the WordPress security provider Wordfence, through their Wordfence Security plugin, that other WordPress plugins contain vulnerabilities. Here is one such message coming from Wordfence, mentioned in a topic:

The Plugin “WP Affiliate Platform” has a security vulnerability.
Type: Plugin Vulnerable
Critical
Details:
Plugin Name: WP Affiliate Platform
Current Plugin Version: 6.3.8 [Read more]

12 Oct 2022

Two Weeks On, Automattic’s WPScan and Patchstack Haven’t Warned About Vulnerability Impacting 600,000+ WordPress Websites

How WordPress security companies market themselves and what they actually deliver are often far apart. Unfortunately, WordPress and security journalists are failing to provide critical coverage that would warn people about what is going on.

As an example of what is happening, take Automattic’s WPScan, which as can be seen by their Twitter banner image, claims that with them with you would “be the first to know about new WordPress vulnerabilities” [Read more]

11 Oct 2022

Automattic’s Idea of Coopetition Involves Copying Data From Competitors Without Credit

Companies operating in the WordPress space have to deal with a problematic situation. While WordPress is promoted as an open source community, the head of WordPress, Matt Mullenweg, uses his various entities to exert control and influence over the community to the benefit of his business interests. One of those entities is the news outlet the WP Tavern, which, when covering him, doesn’t disclose it is owned by him and its writers work for him. That lack of disclosure occurred again with a recent story about one of his employees causing WordPress to hide information useful to competing companies .

In the story, it also wasn’t disclosed that one of the quoted sources, Josepha Haden Chomphosy, is an employee of Matt Mulleweg’s company Automattic, instead incompletely describing her as “WordPress Executive Director”. She was quoted saying that there should be a focus on coopetition mindset in terms of data access: [Read more]

10 Oct 2022

WordPress, Automattic’s WPScan, Patchstack, and CVE Make Mess of Unfixed Vulnerability in WordPress Plugin

The two most recent support forum topics for the 30,000+ install WordPress plugin Kraken.io Image Optimizer are about a claimed security vulnerability in the latest version of the plugin:

[Read more]

7 Oct 2022

Not Really a WordPress Plugin Vulnerability, Week of October 7

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

PHP Object Injection in Easy WP SMTP

One of the changelog entries for version 1.4.9 of Easy WP SMTP is: [Read more]

5 Oct 2022

Automattic Employee Introduced Serious Exploitable Vulnerability Into WordPress’ Own Plugin

As detailed in a more technical post, proactive monitoring we do caught a serious vulnerability of a type highly likely to be exploited being introduced in to a WordPress plugin this week. By the install count of the plugin, this wouldn’t be all that notable, as the plugin only has 200+ installs. But the plugin, Create Block Theme, comes directly from WordPress:

[Read more]

30 Sep 2022

WP Cerber Competitors Automattic and Patchstack Also Spread False Claim of Vulnerability in the Plugin

Earlier in the week, we detailed what looks to be going on with the closure of the popular WordPress security plugin WP Cerber on WordPress’ plugin directory. What seems like it could have started the closure was a claim made by a competing plugin, Wordfence, of a vulnerability in the plugin.

Here is how Wordfence described the issue: [Read more]

20 Sep 2022

How to Replace Overpriced and Ineffective WPScan Based Penetration Testing of WordPress Websites With Cheaper and Better Automated Testing

Last week Bloomberg’s Katrina Manson covered a recommendation from the US Cybersecurity and Infrastructure Security Agency that urged companies to automate threat testing. The story touched on one of the realities of the poor state of security that doesn’t get much attention, the current method of threat testing is both much more expensive than it needs to be and not very effective. The story mentioned a chief information security officer of a company that changed course after a ransomware attack two years ago that found that changing had this impact:

the price was cheaper than employing so-called penetration testers, who do similar work but less regularly and effectively [Read more]

18 Jul 2022

Hacker Exploiting Unfixed Vulnerability in WooCommerce Extending Plugin MultiSafepay

The security of plugins that extend the WordPress ecommerce plugin WooCommerce is often poor, something that the developer of WooCommerce, Automattic, hasn’t taken an interest in addressing. Another part of Automattic claims to provide some protection against that, but isn’t delivering that. Automattic’s WPScan is promoted with this claim:

Be the first to know about vulnerabilities affecting your WordPress installation, plugins, and themes. [Read more]

17 Jun 2022

Clearing Up Some Claims Made About the Remote Code Execution (RCE) Vulnerability Fixed in Ninja Forms

Two days ago, WPScan described a vulnerability fixed in the WordPress plugin Ninja Forms the day before this way:

The plugin does not validate merge tags provided in the request, which could allow unauthenticated attackers to call any static method present in the blog. One from the plugin in particular could allow for PHP Object Injection when a suitable gadget is also present on the blog. Attackers have been exploiting such issue since June 9th, 2022 [Read more]