Hackers Still Targeting Fake Vulnerability in WordPress Plugin Wordfence Security 4 Years On
One way that WordPress security plugins and other security solutions make it appear that they are delivering more protection than they really are is by emphasizing how many attacks they have stopped, but don’t delineate between attacks that would have succeeded otherwise and those that wouldn’t have. That is a key detail, as almost all attacks will fail on their own. One of the reasons for that is that hackers keep trying to exploit vulnerabilities years after it would make any sense to do so. Another issue is that hackers try to exploit vulnerabilities that never really exist. An example of those two coming together that we spotted recently involved a WordPress security plugin known for unnecessarily scaring its users by emphasizing attacks that would have been unsuccessful anyway, Wordfence Security.
One of the users of our own firewall plugin reported that it had blocked what appeared to be an attempt to exploit a vulnerability in Wordfence Security. The request blocked was this:
/wp-content/plugins/wordfence/lib/diffResult.php?file=’>”<svg/onload=confirm(‘test’)>
While investigating that, we found that it had been claimed the vulnerability trying to be exploited had existed in the plugin as of February 2020. The claim stated that the vulnerability existed in version 7.4.6 of the plugin. If you try that exploit attempt with that version, it doesn’t work.
The first issue is that there is a .htaccess file in place that restricts directly accessing the relevant file, /lib/diffResult.php, if you are using the Apache web server or another web server that utilizes .htaccess files. Even if that doesn’t stop things, the first line of code in the file stops you from directly accessing the file:
1 | <php if (!defined('WORDFENCE_VERSION')) { exit; } ?> |
Even if that didn’t exist, there is escaping of the user input specified in the exploit attempt, which would stop this from being successful:
19 | <tr><td>Filename:</td><td><?php echo wp_kses($_GET['file'], array()); ?></td></tr> |
Looking back at older versions of the file, there were a couple of notable security mistakes made by the developer that were previously addressed, but no version of the file could have been exploited in the way that is being attempted there.
A well-developed firewall plugin would note that the vulnerability attempted to be exploited doesn’t exist, as will be the case with the next version of our own firewall plugin.