Login
20 Apr 2022

Developers of 1+ Million Install WordPress Security Plugin All In One WP Security & Firewall Not Disclosing Change in Ownership

The latest version of the WordPress security plugin All In One WP Security & Firewall fixed a minor security vulnerability. While there is an extensive changelog for that version, there doesn’t appear to be any mention of that. Take a look for yourself:

  • FEATURE: Reset all settings by clicking on the “Reset Settings” button on the Settings Page.
  • FEATURE: Verify the Google reCaptcha Site key before rendering and disable it if the Google reCaptcha site key is invalid.
  • FIX: PHP Fatal error: Cannot redeclare wp_install_maybe_enable_pretty_permalinks() in specific server.
  • FIX: throwing database error for creating debug log table in specific MySQL server.
  • FIX: Compatibility issue with WPML plugin for login and logout functionality.
  • FIX: Update email sent in English instead of setting language.
  • FIX: The Simple Math Captcha can’t be validated when a third-party plugin clears transients more frequently.
  • FIX: The login lockdown unlock request was not working in a few specific server environments.
  • FIX: The warning headers already sent was displayed in a few specific server environments.
  • FIX: Handle invalid tabs appropriately in setting pages.
  • TWEAK: Add review notice.
  • TWEAK: Improve functionality of fake google bot prevents to access the site.
  • TWEAK: Remove IP address retrieval setting and detect IP address automatically.
  • TWEAK: Verify Google reCaptcha site key before rendering the reCaptcha.
  • TWEAK: Remove force logout checking from REST API Call.
  • TWEAK: Made Admin Dashboard > WP Security > Settings tabs extensible.
  • TWEAK: Add G2 review message in the admin footer.
  • TWEAK: Format failed login date time according to WordPress general settings.
  • TWEAK: Remove unused codes from AIOWPSecurity_Config.
  • TWEAK: Add more specific instructions to change the Display name compared to the username in Admin Dashboard > WP Security > User Accounts > “Display Name” tab > “Modify Accounts With Identical Login Name & Display Name” section.
  • TWEAK: Remove Admin Dashboard > WP Security > Site Info tab (now redundant because of WP’s “Site Health” tool)
  • TWEAK: The “Allow Login Lockout Request” checkbox is ticked by default.
  • FIX: Fix login lockout issue with different timezone.

As at least one of the customers of our main service used that plugin, we took a close look at that as the discoverers provided almost no information to confirm there was a vulnerability and that it had been fixed. What we found is that the developer had fixed the vulnerability, but hadn’t properly secured the code, increasing the chances that there could be another instance of this problem in the future. That should have been addressed, particularly considering this is a security plugin.

The improperly security involves the function redirect_to_url() in the file /classes/wp-security-utility.php, which outputs values passed to it without sanitizing, validating, or escaping them:

48
49
50
51
52
53
54
55
56
57

public static function redirect_to_url($url, $delay = '0', $exit = '1') {
	if (empty($url)) {
		echo "<br /><strong>Error! The URL value is empty. Please specify a correct URL value to redirect to!</strong>";
		exit;
	}
	if (!headers_sent()) {
		header('Location: ' . $url);
	} else {
		echo '<meta http-equiv="refresh" content="' . $delay . ';url=' . $url . '" />';
	}

The vulnerability being fixed involved making sure values being passed to it from one location where sanitized and validated. If the developer were to again fail to do that, then this code could again permit a vulnerability to occur.

After finding that, we attempted to contact the developer of the plugin and that is where we found something more concerning is going on with the plugin.

Undisclosed Ownership Change

Right at the top of the plugin’s listing on WordPress’ plugin directory, the developers of the plugin are supposed to be listed:

Clicking on the link takes you to the website of Tips and Tricks HQ. We used the contact form on that website to let them know about the additional security improvement. We got a curious response to that:

We actually sold that plugin last year to another company. You can contact the new owners here:
https://updraftplus.com/

If they sold it last year, why are they still listed as being the developer last week?

That isn’t a one-off mistake either. Scrolling down the bottom of the listing also indicates that they are still the developers:

If they no longer have control of the plugin, they couldn’t update those things, but their own website still makes it look like they are the developer. There is no mention, for example, on their page for the plugin that they are no longer the owner and it still included in their menu of projects:

The Security Implication of an Ownership Change

In assessing the security of WordPress plugins, knowing if the ownership has changed is rather important. As there have been multiple instances where new owners have put malicious code in to plugins and new developers can introduce new insecurity. Last year a plugin with 400,000+ installs was completely replaced with a new plugin that contained easily exploitable critical vulnerabilities.

You would think that developers of a security plugin should understand that as well or better than anyone else.

The new developer of the plugin has had pretty big problems with handling of security, including us twice finding late last year that their attempts to fix a certain type of vulnerability introduced a new instance of it.

Last week the team running the WordPress Plugin Directory announced they were restricting changing the ownership of certain plugins, though part of the claimed reason seems to not add up.

“Smooth Transition”

In following up with the listed developer, we were told that the ownership change was not be disclosed because of a transition:

It’s still in a transition phase. The new owners are in the process of setting up a new site and they will instruct us as to when they want us to put a 301 redirect to their new site.
I can only do this in my own time and with the terms that the new owner gives to me for smooth transition. The new owners will do things in their own time.
It doesn’t seem like this is a smooth transition for users of the plugin when they don’t know about the ownership change.
They also thought it was odd that someone might be concerned about what is going on in this situation:
Are you for real?!??
With people like that in the security industry, is any wonder that security continues to be in bad shape (and that this plugin provides such limited protection).

No related posts.

Leave a Reply

Your email address will not be published. Required fields are marked *