On September 23, exploit code for an arbitrary file upload vulnerability in the WordPress plugin 3DPrint Lite was disclosed. With that type of vulnerability, the question isn’t whether it will be exploited, but how long until it happens. By the next day, we were already seeing what looked to be hackers probing for usage of the plugin.

In looking over the vulnerable code, we noticed that there were two ways the data for the file being uploaded to be sent with exploit attempt. One of those ways was with a file sent with exploit attempt and the other by sending raw POST data that can be read in PHP from php://input:

1147
1148
1149
1150
1151
1152
1153
1154

// Read binary input stream and append it to temp file
if ( !$in = @fopen( $_FILES["file"]["tmp_name"], "rb" ) ) {
	die( '{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "'.__( 'Failed to open input stream.', '3dprint-lite' ).'"}, "id" : "id"}' );
}
} else {
if ( !$in = @fopen( "php://input", "rb" ) ) {
	die( '{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "'.__( 'Failed to open input stream.', '3dprint-lite' ).'"}, "id" : "id"}' );
}

With the former, our firewall plugin for WordPress and some other WordPress security plugins provide varying degrees of protections against exploitation. But with the latter, our plugin didn’t at the time provide any protection. To better understand what protection could be provided, we tested other WordPress security plugins to see if they already provided protection in that situation and then see how that worked.

Unfortunately, as detailed below, none of the other plugins provided protection against this type of exploitation as of yesterday, so there was nothing we could use from them to help us better protect against.

We have now added protection to our plugin that will block requests with raw POST data that includes starting tags for PHP code, which should restrict hackers from their usual use of this type of vulnerability.

Testing Procedure

For each of the tested plugin, we set up an install of WordPress 5.8.1, installed version 1.9.1.4 of 3DPrint Lite and installed the latest version of the security plugin. We tried to enable any feature of the plugin that could possibly have an impact on stopping exploitation of the vulnerability. We didn’t set up any additional service connected with the plugins.

We performed the exploit attempts with the name specified for the new file as test.php and with the following as the raw POST data sent with the request:

<?php echo 'test';

The 25 plugins we tested include the security plugins listed in the Popular plugins section of the Plugin Directory and some others that look to be intended or marketed to prevent this type of situation. If you would like to see an additional plugin included in future testing, please leave a comment on the post or contact us.

Results

None of the plugins provided protection.

The full results are below:

All In One WP Security & Firewall

• WordPress.org Plugin Directory page
• Active Installs: 900,000+
• Version Tested: 4.4.9

Result: Failed to prevent exploitation.

Anti-Malware Security and Brute-Force Firewall

• WordPress.org Plugin Directory page
• Active Installs: 200,000+
• Version Tested: 4.20.72

Result: Failed to prevent exploitation.

AntiHacker

• WordPress.org Plugin Directory page
• Active Installs: 1,000+
• Version Tested: 3.26

Result: Failed to prevent exploitation.

BBQ Firewall

• WordPress.org Plugin Directory page
• Active Installs: 100,000+
• Version Tested: 20210719

Result: Failed to prevent exploitation.

BulletProof Security

• WordPress.org Plugin Directory page
• Active Installs: 50,000+
• Version Tested: 5.2

Result: Failed to prevent exploitation.

Clearfy

• WordPress.org Plugin Directory page
• Active Installs: 100,000+
• Version Tested: 1.9.6

Result: Failed to prevent exploitation.

Defender

• WordPress.org Plugin Directory page
• Active Installs: 60,000+
• Version Tested: 2.6.0

Result: Failed to prevent exploitation.

Hide My WP Ghost Lite

• WordPress.org Plugin Directory page
• Active Installs: 100,000+
• Version Tested: 4.1.09

Result: Failed to prevent exploitation.

iThemes Security

• WordPress.org Plugin Directory page
• Active Installs: 1+ Million
• Version Tested: 8.0.2

Result: Failed to prevent exploitation.

Jetpack

• WordPress.org Plugin Directory page
• Active Installs: 5+ Million
• Version Tested: 10.1

Result: Failed to prevent exploitation.

MalCare Security

• WordPress.org Plugin Directory page
• Active Installs: 100,000+
• Version Tested: 4.63

Result: Failed to prevent exploitation.

NinjaFirewall

• WordPress.org Plugin Directory page
• Active Installs: 70,000+
• Version Tested: 4.4.2

Result: Failed to prevent exploitation.

Plugin Vulnerabilities Firewall

• Page on our website
• Active Installs: N/A
• Version Tested: Beta

Result: Failed to prevent exploitation.

SecuPress Free

• WordPress.org Pluhttp://localhost/security-plugin-testing/secupress/gin Directory page
• Active Installs: 30,000+
• Version Tested: 2.1

Result: Failed to prevent exploitation.

Security by CleanTalk

• WordPress.org Plugin Directory page
• Active Installs: 10,000+
• Version Tested: 2.72.2

Result: Failed to prevent exploitation.

Security Ninja

• WordPress.org Plugin Directory page
• Active Installs: 10,000+
• Version Tested: 5.124

Result: Failed to prevent exploitation.

Shield Security

• WordPress.org Plugin Directory page
• Active Installs: 60,000+
• Version Tested: 12.0.9

Result: Failed to prevent exploitation.

SiteGround Security

• WordPress.org Plugin Directory page
• Active Installs: 100,000+
• Version Tested: 1.1.3

Result: Failed to prevent exploitation.

SiteGuard WP Plugin

• WordPress.org Plugin Directory page
• Active Installs: 400,000+
• Version Tested: 1.6.0

Result: Failed to prevent exploitation.

Sucuri Security

• WordPress.org Plugin Directory page
• Active Installs: 800,000+
• Version Tested: 1.8.30

Result: Failed to prevent exploitation.

Titan Anti-spam & Security

• WordPress.org Plugin Directory page
• Active Installs: 100,000+
• Version Tested: 7.2.8

Result: Failed to prevent exploitation.

Wordfence Security

• WordPress.org Plugin Directory page
• Active Installs: 4+ Million
• Version Tested: 7.5.5

Result: Failed to prevent exploitation.

WP Cerber Security, Anti-spam & Malware Scan

• WordPress.org Plugin Directory page
• Active Installs: 200,000+
• Version Tested: 8.9.3

Result: Failed to prevent exploitation.

WP Hardening

• WordPress.org Plugin Directory page
• Active Installs: 6,000+
• Version Tested: 1.2.2

Result: Failed to prevent exploitation.

WP Hide & Security Enhancer

• WordPress.org Plugin Directory page
• Active Installs: 80,000+
• Version Tested: 1.6.3.9

Result: Failed to prevent exploitation.

Plugin Security Scorecard Grade for BBQ Firewall

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for BulletProof Security

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Clearfy

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Defender

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Jetpack

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for MalCare Security

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for NinjaFirewall

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Security Ninja

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Shield Security

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Sucuri Security

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Titan Anti-spam & Security

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Wordfence Security

See issues causing the plugin to get less than A+ grade