Only Four WordPress Security Plugins Protected Against Exploitation of Serious Vulnerability in Plugin From WordPress

Earlier this month we spotted a serious vulnerability being introduced in to a WordPress plugin that comes directly from WordPress. It turned out that vulnerability had been introduced in to it by an employee of the company closely associated with WordPress, Automattic. The vulnerability would have allowed attackers to upload arbitrary files to the website, which is a type of vulnerability where it isn’t a question of if it would be exploited, but when. Usually a hacker would use that to upload PHP files and then from there they could do whatever else they want, as that would give them the ability to run arbitrary code on the website. That is a type of scenario WordPress security plugins could and should have a capability to protect against.

Whether WordPress security plugins actually provide protection against it is another story. While you can find lots of review of WordPress security plugins, the ones we run across don’t involve testing to see if they provide protection against real threats, making the reviews of limited value. Instead, the reviews focus on other things, meaning that developers of those plugins don’t necessarily have incentive to focus on security. When we did a test of a similar vulnerability six years ago, only three security plugins provided protection against the same scenario.

To see if things have gotten better, we tested to see if 31 WordPress security plugins would provide protection when this vulnerability is exploited. The results of the test were not good. Only four plugins provided protection against the attack. Three of the plugins that provided protection were also the ones that provided protection six years ago. The only additional plugin to provide protection, was one that didn’t exist when the previous test was done. So none of the other plugins tested previously have been improved to provide the protection that the others offered six years ago. And other new plugins didn’t incorporate that type of protection.

Testing Procedure

For each of the tested plugins, we set up an install of WordPress 6.0.3, installed version 1.1.3 of Create Block Theme, and installed the latest version of the security plugin. We tried to enable any feature of the plugin that could possibly have an impact on stopping the exploitation of the vulnerability. We didn’t set up any additional service connected with the plugins.

We used the proof of concept we provided before and tried to upload a .php file containing PHP code.

The 31 plugins we tested include the security plugins listed in the Popular plugins section of the Plugin Directory and some others that look to be intended or marketed to prevent this type of situation. If you would like to see an additional plugin included in future testing, please leave a comment on the post or contact us.

Results

Only four plugins provided protection. Those are Anti-Malware Security and Brute-Force Firewall, NinjaFirewall, Plugin Vulnerabilities Firewall, and Wordfence Security

The full results are below: