Existing WordPress Security Plugins Fail to Protect Against PHP Object Injection Vulnerability

When we did testing several years back to see if WordPress security plugins could prevent the exploitation of vulnerabilities in other WordPress plugins, the results were not good. In one test, we found that only two plugins provided any protection, and that protection was easily bypassed. In another, we found only three provided any protection and only one of them had protection that couldn’t be easily bypassed. In another, we found no plugins provided protection despite one of them having supposed to have had protection and we later found that another one that was supposed to have later gained protection also didn’t provide protection.

Based on those results and later testing, what we saw was that there was a place for a firewall plugin as a piece of the security strategy for WordPress websites, but the existing options were not something we could recommend. We couldn’t recommend them not only due to the poor results, but because the developers of the plugins that provided the most protection were not being honest about what the plugins can and cannot accomplish (if you can’t trust a security company then you probably shouldn’t rely on them). That has led to us working on our own firewall plugin, which we plan on releasing soon.

To create a firewall plugin that actually delivers what should be possible to deliver with one of those, doing more of that type of testing is critical. As it allows us to confirm that protection we have implemented works and isn’t bypassable in a way that should be prevented, to understand if other plugins have provided better protection that we should match or exceed, and finally to allow us to make sure there isn’t protection possible that we haven’t thought of.

In our first test, the result was that only our plugin and two others, NinjaFirewall and Wordfence Security, provided protection and only our plugin provided protection that wasn’t easily bypassed.

For our second test, we got a chance to try out our newly created protection for a serious type of vulnerability, PHP object injection. The vulnerability being used in the test is one that our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities had just spotted. While being able to warn customers of our service of that type of vulnerability before hackers appear to be aware of it and providing them access to a tool that would have also flagged the possibility of that vulnerability even before that is good, being able to provide them a firewall to prevent exploitation would be even better.

We expected that NinjaFirewall would also protect against this and and that Wordfence Security might as well, but without doing the testing we wouldn’t know for sure.

The result was that only our plugin provided protection against this. All of the 22 existing plugins we tested failed to provide protection We will discuss what went wrong with NinjaFirewall’s protection in an upcoming post, since better understanding that helps to make sure that type of issue can prevented from happening elsewhere.

Testing Procedure

For each of the tested plugin we set up an install of WordPress 5.8, installed version 1.0.2 of Soprop Connector, and installed the latest version of the security plugin. We tried to enable any feature of the plugin that could possibly have an impact on stopping exploitation of the vulnerability. We didn’t set up any additional service connected with the plugins.

We used the proof of concept provided in our disclosure of the vulnerability in the exploit attempts.

The 23 plugins we tested include the security plugins listed in the Popular plugins section of the Plugin Directory and some others that look to be intended or marketed to prevent this type of situation. If you would like to see an additional plugin included in future testing, please leave a comment on the post or contact us.

Results

Only our Plugin Vulnerabilities Firewall plugin prevented the vulnerability from being exploited.

The full results are below: