Zero Day Blog

11 Apr 2019

Why Are Journalist Spreading Wordfence’s (aka Defiant’s) Lies About Us?

Here’s a timeline of the recent situation with the WordPress plugin Related Posts (Yuzo Related Posts):

March 30 – The plugin was closed on the WordPress Plugin Directory.
March 30 – We notice the closure and find that the plugin contains an exploitable vulnerability.
March 30 – We put out post warning about that vulnerability and pointed out the problem with closing plugins with undisclosed vulnerabilities.
March 30 – We notify the developer of the plugin about the vulnerability through the WordPress Support Forum.
April 2 – Developer submits new version of plugin that appears to be intended to fix a different vulnerability and seemingly unintentionally fixes another one.
Approximately April 9 or 10 – Vulnerability we warned about is widely exploited.

Yet here was Lawrence Abrams at the Bleeping Computer yesterday: [Read more]

22 Oct 2018

Security Issues Related to jQuery File Upload Not Unknown To InfoSec Community As Security Journalists Claim

We generally avoid following news coverage of web security since it is of such poor quality and when we do have to look at examples of it due to a news alert we have to keep track of vulnerabilities in WordPress that view is reinforced. Take this post on ZDNet’s Zero Day blog, “Zero-day in popular jQuery plugin actively exploited for at least three years“, by Catalin Cimpanu, which makes this claim:

It is pretty clear from the videos that the vulnerability was widely known to hackers, even if it remained a mystery for the infosec community. [Read more]

24 Sep 2018

ZDNet’s Zero Day Blog Claims to Have Revealed Something That We Had Already Discussed Well Beforehand

When it comes to actually trying to improve the poor state of web security one of the big impediments are security journalists, who often act not as journalists, but as stenographers repeating claims made by security companies with little concern for their accuracy or actual significance. A case in point with that comes from a post from ZDNet’s Zero Day blog (which at least in the past was run by people that didn’t even understand what a zero-day is), titled “Thousands of WordPress sites backdoored with malicious code”, which we got notified due to a Google alert we have set related to WordPress plugin vulnerabilities.

It is not clear exactly how many websites are running WordPress, but one figure put out by Forbes was 75 million, so thousands of websites running it being hacked seems less than significant. In fact there doesn’t really seem to be anything significant about what is being described in the post. The problem with covering things like that is that it gives an inaccurate picture of security of WordPress, since certainly many more than thousands of website not running WordPress are also hacked each month and this can cause people to choose less secure software to use on their website because of skewed coverage. There are also plenty of issues surrounding the security WordPress that could be covered instead of this type of thing, but journalists don’t seem to be interested in covering more significant issues. [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Zero Day Blog

Security Issues Related to jQuery File Upload Not Unknown To InfoSec Community As Security Journalists Claim

ZDNet’s Zero Day Blog Claims to Have Revealed Something That We Had Already Discussed Well Beforehand