Five WordPress Security Plugins Provide Some Protection Against Unfixed Reflected XSS Vulnerability in Plugin with 200,000+ Installs
Update: We originally incorrectly listed the plugin All In One WP Security & Firewall as not providing any protection, when in fact it did provide protection that was easily bypassed. We apologize for the mistake.
In the mess that is the current handling of security of WordPress plugins, many people rely and trust companies to provide them accurate information on vulnerabilities in plugins that they use, while the companies appear to have no concern if the information they provide is accurate. The ultimate source of their data is often a company named WPScan, which is well documented to not be concerned about the quality of their data.
That all comes in to play with the plugin Favicon by RealFaviconGenerator, which currently has a reflected cross-site scripting (XSS) vulnerability in it. There was a failed attempt to fix the issue in the latest version of the plugin, 1.3.22. As we detailed for our customers three days ago, the changes made didn’t look right and testing confirmed the issue still exists. We contacted the developer about that three days ago as well, but we have yet to receive a response.
Meanwhile WPScan is incorrectly telling people the vulnerability was fixed in that version:
That matters, as, while this is a minor vulnerability, some of those using it, upon being informed it was vulnerable, based, it looks like, ultimately, on WPScan’s report, had stopped using it or planned to stop using it:
Hi, today I got a warning from iThemes Security. There is no fix, so I had to remove your plugin. When will you release an update with the fix?
Yes, please advise on the timeline. We are currently scheduled to remove this plugin from a little over one hundred sites we manage if no patch is released.
If doing that is warranted, then being incorrectly told it has been fixed is a major issue.
This is a minor vulnerability and not one you would expect hackers to be trying to exploit, though that might be more likely as in recent times web browser protection against this type of issue is much less prevalent due to major web browsers, most prominently Chrome, removing protection.
Another option, though one that, that can incur bypasses, in the same way that Chrome’s protection did and was part of the reason they removed theirs, is to use a WordPress security plugin. The vulnerability seemed like a good one to better inform development of the still incomplete XSS protection for our upcoming firewall plugin and to see what protection other security plugins provide for this.
The result was interesting, as we found that five plugins provided protection with the proof of concept we used. Two were not surprising, being our plugin, as it should have protected against the proof of concept, and the most popular WordPress security plugin Wordfence Security. The other two were ones that have not provided protection in any of our previous tests. Those were BBQ Firewall and BulletProof Security.
One that was surprising to have not provided protection was NinjaFirewall, which along with Wordfence Security, has provided the most protection among existing plugins in our previous tests. It looks like that is caused by the protection being disabled when logged in as a user with the “unfiltered_html” capability. This vulnerability would be exploited against an Administrator, who would have that capability.
That brings up a fairly fundamental problem here, which we have already been thinking through as we work on our XSS protection, since what that involves is something that can be malicious or non-malicious depending on the circumstances. The proof of concept here involves JavaScript code in a URL, which we can’t think of a reason, should be the case, but the vulnerable code can also take the value from form input (POST):
123 | $new_favicon_params_url = filter_var ( $_REQUEST['json_result_url'], FILTER_SANITIZE_URL ); |
When retesting the plugins that provided protection against the proof of concept with POST input, only Wordfence’s still provided protection, though that also could interfere with legitimate usage of JavaScript code.
Testing Procedure
For each of the tested plugin we set up an install of WordPress 5.8, installed version 1.3.22 of Favicon by RealFaviconGenerator, and installed the latest version of the security plugin. We tried to enable any feature of the plugin that could possibly have an impact on stopping exploitation of the vulnerability. We didn’t set up any additional service connected with the plugins.
We used the proof of concept provided in our Vulnerabilities Details post in the exploit attempts.
The 25 plugins we tested include the security plugins listed in the Popular plugins section of the Plugin Directory and some others that look to be intended or marketed to prevent this type of situation. If you would like to see an additional plugin included in future testing, please leave a comment on the post or contact us.
Results
Five of the plugins provided protection against the proof of concept tested. Those being All In One WP Security & Firewall, BBQ Firewall, BulletProof Security, our Plugin Vulnerabilities Firewall, and Wordfence Security.
We then retested those plugins to see if they would still provide protection with the JavaScript sent as POST input instead of in the URL and only Wordfence Security still provided protection.
The full results are below:
All In One WP Security & Firewall
- WordPress.org Plugin Directory page
- Active Installs: 900,000+
- Version Tested: 4.4.9
Result: Prevented exploitation, but bypass around protection was easily found.
Anti-Malware Security and Brute-Force Firewall
- WordPress.org Plugin Directory page
- Active Installs: 200,000+
- Version Tested: 4.20.72
Result: Failed to prevent exploitation.
AntiHacker
- WordPress.org Plugin Directory page
- Active Installs: 1,000+
- Version Tested: 3.26
Result: Failed to prevent exploitation.
BBQ Firewall
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 20210719
Result:Â Prevented exploitation, but bypass around protection was easily found.
BulletProof Security
- WordPress.org Plugin Directory page
- Active Installs: 50,000+
- Version Tested: 5.1
Result: Prevented exploitation, but bypass around protection was easily found.
Clearfy
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 1.9.4
Result: Failed to prevent exploitation.
Defender
- WordPress.org Plugin Directory page
- Active Installs: 50,000+
- Version Tested: 2.5.5
Result: Failed to prevent exploitation.
Hide My WP Ghost Lite
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 4.1.08
Result: Failed to prevent exploitation.
iThemes Security
- WordPress.org Plugin Directory page
- Active Installs: 1+ Million
- Version Tested: 8.0.1
Result: Failed to prevent exploitation.
Jetpack
- WordPress.org Plugin Directory page
- Active Installs: 5+ Million
- Version Tested: 10.0
Result: Failed to prevent exploitation.
MalCare Security
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 4.63
Result:Failed to prevent exploitation.
NinjaFirewall
- WordPress.org Plugin Directory page
- Active Installs: 60,000+
- Version Tested: 4.4
Result: Failed to prevent exploitation.
Plugin Vulnerabilities Firewall
- Page on our website
- Active Installs: N/A
- Version Tested: Alpha
Result: Prevented exploitation, but bypass around protection was easily found.
SecuPress Free
- WordPress.org Plugin Directory page
- Active Installs: 30,000+
- Version Tested: 2.0.3
Result: Failed to prevent exploitation.
Security by CleanTalk
- WordPress.org Plugin Directory page
- Active Installs: 9,000+
- Version Tested: 2.71
Result: Failed to prevent exploitation.
Security Ninja
- WordPress.org Plugin Directory page
- Active Installs: 10,000+
- Version Tested: 5.122
Result: Failed to prevent exploitation.
Shield Security
- WordPress.org Plugin Directory page
- Active Installs: 60,000+
- Version Tested: 11.5.4
Result: Failed to prevent exploitation.
SiteGround Security
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 1.1.1
Result: Failed to prevent exploitation.
SiteGuard WP Plugin
- WordPress.org Plugin Directory page
- Active Installs: 400,000+
- Version Tested: 1.6.0
Result: Failed to prevent exploitation.
Sucuri Security
- WordPress.org Plugin Directory page
- Active Installs: 800,000+
- Version Tested: 1.8.27
Result: Failed to prevent exploitation.
Titan Anti-spam & Security
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 7.2.7
Result: Failed to prevent exploitation.
Wordfence Security
- WordPress.org Plugin Directory page
- Active Installs: 4+ Million
- Version Tested: 7.5.4
Result: Prevented exploitation.
WP Cerber Security, Anti-spam & Malware Scan
- WordPress.org Plugin Directory page
- Active Installs: 200,000+
- Version Tested: 8.9
Result: Failed to prevent exploitation.
WP Hardening
- WordPress.org Plugin Directory page
- Active Installs: 5,000+
- Version Tested: 1.2.2
Result: Failed to prevent exploitation.
WP Hide & Security Enhancer
- WordPress.org Plugin Directory page
- Active Installs: 80,000+
- Version Tested: 1.6.3.7
Result: Failed to prevent exploitation.
Plugin Security Scorecard Grade for BBQ Firewall
Checked on January 11, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for BulletProof Security
Checked on November 19, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Clearfy
Checked on August 20, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Defender
Checked on November 20, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Jetpack
Checked on November 24, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for MalCare Security
Checked on November 7, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for NinjaFirewall
Checked on February 19, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Security Ninja
Checked on August 9, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Shield Security
Checked on January 19, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Sucuri Security
Checked on November 12, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Titan Anti-spam & Security
Checked on August 1, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Wordfence Security
Checked on February 25, 2025See issues causing the plugin to get less than A+ grade