Hacker Looking for Usage of 10Web WordPress Plugin That Contains Type of Vulnerability That Hackers Target

In June 2021, the WordPress security provider Patchstack announced that they were partnering with WordPress plugin provider and web host 10Web. Patchtack claimed that they and 10Web were working together to “help strengthen the WordPress ecosystem.” It was a curious claim at the time, considering that 10Web was at that very time failing to fix a vulnerability they knew about in two of their plugins with 320,000+ installs. (One of those plugins has now been closed on the WordPress Plugin Directory since June 2022 because of a “Security Issue.”) The partnership hasn’t led to 10Web’s plugins getting more secure.

In July of last year, the plugin 10Web Booster was introduced on to the WordPress Plugin Directory. If you believed 10Web’s marketing, you would believe that the plugin would have been properly secured:

Here at 10Web we value security above all else.

If you believed Patchstack’s claim about their partnership with 10Web, then you would believe the same.

What we recently found is very different. After seeing what looked to be a hacker trying to find websites using the plugin, we did a few simple checks that we do in that situation, trying to quickly determine if the plugin might have a vulnerability a hacker might target. It wasn’t hard to find that was the case with the plugin. As detailed in a more technical post, we found that the plugin allows even those not logged in to WordPress to change its settings. One of those setting is intended to store JavaScript code to run on frontend pages of the website, otherwise known as a persistent cross-site scripting (XSS) vulnerability. That is something that a hacker would definitely try to exploit if they knew about it.

Those vulnerabilities, in addition to others, have existed in the plugin since the first version.

Getting back to Patchstack for a moment, they market their service with a claim that they will provide instant alerts for vulnerabilities:

Be notified instantly when there is a new security vulnerability present on any of your sites. Patchstack monitors security of all WordPress core, plugin and theme versions in real-time.

That doesn’t come close accurately describing what their service even tries to do, but even putting that aside, they haven’t warned about this vulnerability:

Protecting Your WordPress Websites From Developers like 10Web

The vulnerabilities in 10Web’s plugins are but a few of those found in their plugins so far and there are certainly more. As Patchstack’s partnership shows with them, the solution to that isn’t for WordPress security companies to partner with developers who keep putting WordPress websites at risk and have shown no interest in fixing that. Instead, the solution is to avoid their plugins. To help those running WordPress do just that, we release security advisories for developers where we have found that they are either are unable or unwilling to properly secure their plugins. We released an advisory for 10Web in November and those that heeded that advisory don’t have to worry about being hacked through the vulnerability in 10Web Booster.