Login

WPScan News

15 Apr 2022

Not Really a WordPress Plugin Vulnerability, Week of April 15

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ Arbitrary File Upload to RCE in WP Import

Earlier this week we saw a concerning changelog entry for the plugin WP Import: [Read more]

15 Apr 2022

CVE, WPScan, and Patchstack Claimed That Possible Security Issue Was Addressed Five Months Before It Was

One of the changelog entries for version 4.5.9 of the WordPress plugin Download Monitor, which was released last week, is:

Fixed: Security issues regarding file downloads and download titles [Read more]

31 Mar 2022

A Month Later, WordPress Still Hasn’t Taken Action for Websites With Backdoored Plugin They Distributed

On Februrary 28, we publicly warned that the WordPress plugin Mistape had what appeared to have a backdoor added in its latest release. Part of the code would contact the developer’s website and let them know if the plugin was installed. Another part would allow anyone to gain access to an account on the website with the Administrator role. The response from WordPress was to close the plugin in their plugin directory:

[Read more]

24 Mar 2022

WPScan Issues Two CVE IDs for Same Vulnerability While Failing to Warn for 7 Months That It Was Unfixed

On August 9, 2021, a security update was released for the WordPress plugin Favicon by RealFaviconGenerator, which has 200,000+ installs. The changelog for that was:

Fix XSS security issue, reported by WPSpan.com. See https://wpscan.com/vulnerability/ed9d26be-cc96-4274-a05b-0b7ad9d8cfd9?fbclid=IwAR2aRMXRjbGm9ppoI9tM-OHm26Q0ax4yt0MkcP5sp0-pz9D4eVIEHQwvG1Y [Read more]

23 Mar 2022

The “Security Experts” at Automattic’s WPScan Don’t Appear to Understand The Implication of Being Able to Replace WordPress

One of the biggest problems we run into while compiling data on vulnerabilities in WordPress plugins these days is the amount of false reports out there. While there has been a problem with that for years, what makes it more problematic now is that “security experts” are spreading these false claims instead of knocking them down. One frequent source of that is WPScan, which is owned by the company closely connected with WordPress, Automattic. That entity is marketed with the claim that they are a “Dedicated team of WordPress security experts”, which doesn’t match up with we keep seeing.

One of the changelog entries for the latest version of the WordPress plugin WP Downgrade is: [Read more]

21 Mar 2022

The “Security Experts” at Automattic’s WPScan Don’t Appear to Understand the Concept of a Backup Plugin

One of the biggest problems we run into while compiling data on vulnerabilities in WordPress plugins these days is the amount of false reports out there. While there has been a problem with that for years, what makes it more problematic now is that “security experts” are spreading these false claims instead of knocking them down. One frequent source of that is WPScan, which is owned by the company closely connected with WordPress, Automattic. That entity is marketed with the claim that they are a “Dedicated team of WordPress security experts”, which doesn’t match up with we keep seeing.

Recently we saw what looked to be a hacker probing for usage of the plugin All-in-One WP Migration. We couldn’t find a good explanation for why that would be, either a recently fixed vulnerability in the plugin or an unfixed vulnerability that currently exists in the plugin. But WPScan did recently put out a false report of a vulnerability in the plugin that it seems like a hacker might have thought was something they could exploit. [Read more]

12 Oct 2021

WPScan Claims a Vulnerability Was Fixed in Version of WordPress Plugin That Doesn’t Exist

One of the many problems that plagues security is the lack of concern with the truth from so many people involved in it. You would think that wouldn’t be the case with trust being an important part of security, but that is the case, hence security being in such bad shape. That is common when it comes to information on vulnerabilities in WordPress plugins, where we find that critical information, including if vulnerabilities have actually been fixed, is often inaccurate. While there understandable mistakes, that clearly isn’t an explanation for most it. Take something we noticed with one company that clearly isn’t interested in accuracy, WPScan.

Yesterday we discussed looking in to why a hacker might be targeting a commercial WordPress plugin Cooked Pro. While looking in to that, we came across a WPScan entry that claimed a vulnerability had been fixed in the related free Cooked plugin in version 1.7.5.6: [Read more]

27 Aug 2021

Wordfence’s Explanation for Misusing the Term Brute Force Attack is Something

While working on another blog post explaining how Wordfence inflates the number of “attacks” that their plugin blocks, we ran across a rather stunning explanation as to why they are misleading people about the type of attacks are concurring against WordPress admin passwords.

Attempts by attackers to log in to WordPress is not something that the administrators of the average WordPress needs to worry about. All they need to do is to use a strong and unique password and then they can move on to other things. That is bad for the security industry, as WordPress already provides a password strength meter. That might explain why they mislead people about what is happening, telling them that brute force attacks are happening and then recommending plugins and other solutions needed if those were really occurring (so this isn’t a semantics issue). Not only does that does that waste time and create unnecessary fear, it has led to websites becoming vulnerable, as plugins to handle brute force attacks can and have introduced security vulnerabilities on websites. This is the security industry at its worst, but they are able to get away with it. [Read more]

16 Aug 2021

Why doesn’t WP Tavern want their readers to have accurate information on the state of WordPress security?

One of the biggest impediments to improving the security of WordPress is the sheer amount of misleading and outright false information that exists out there. Take the most popular security specific WordPress plugin, Wordfence Security, which, as we noted on Friday, is promoted by its developer and by others with the unqualified claim that it stops websites from being hacked. Not only could it not provide that level of protection, but testing confirms that it actually fails to provide the kind of protection it should be able to and that other security plugins do provide. If people knew the truth, they could be taking advantage of the additional security that other plugins provide. On the developer’s part, they clearly know what they are saying isn’t a true, and that statement isn’t an aberration, as we have repeatedly seen them telling lies that involve overstated claims about the capabilities of their plugin and services.

You would reasonably expect that journalists covering security would be warning the public about a company like that, but what we have found instead that those journalists often act more as a PR arm of security companies (often dishonest ones) than as journalists. In some cases that is rather literal situation, as there are multiple security journalism outlets that are publicly acknowledged to be owned by security companies (and another that is no longer acknowledged to be owned by a security company). [Read more]