No WordPress Security Plugin Stopped Exploitation of Vulnerability That Disables Them

Last week, GoDaddy’s web security subsidiary Sucuri released a strange post about some WordPress websites being hacked. The post discussed a situation involving what they confusingly described as both “bogus” and “legitimate” WordPress plugin. The plugin, Directorist, had multiple security vulnerabilities fixed the day before that post was released, which might explain the hacking being mentioned in the post. Though, Sucuri was attributing it to compromised login credentials, despite their post indicating they hadn’t done basic checking that should have been done before making that attribution.

While reviewing the changes being made to the plugin, we noticed that among the vulnerabilities fixed in that new version, 7.0.6.1, were ones that would have allowed an attacker logged in to WordPress to deactivate or delete arbitrary plugins.

That occurs through the function plugins_bulk_action() in the file /includes/classes/class-extension.php, which is accessible through WordPress’ AJAX functionality to anyone logged in to WordPress:

43	add_action( 'wp_ajax_atbdp_plugins_bulk_action', [$this, 'plugins_bulk_action'] );

In that function, no security checks were done before passing user input to the WordPress functions’ deactivate_plugin() and delete_plugin(), which would allow an attacker to deactivate or deletion of arbitrary plugins:

public function plugins_bulk_action() {
	$status = ['success' => true];
 
	$task         = ( isset( $_POST['task'] ) ) ? $_POST['task'] : '';
	$plugin_items = ( isset( $_POST['plugin_items'] ) ) ? $_POST['plugin_items'] : '';
 
	// Validation
	if ( empty( $task ) ) {
		$status['success'] = false;
		$status['message'] = 'No task found';
		wp_send_json( ['status' => $status] );
	}
 
	if ( empty( $plugin_items ) ) {
		$status['success'] = false;
		$status['message'] = 'No plugin items found';
		wp_send_json( ['status' => $status] );
	}
 
	// Activate
	if ( 'activate' === $task ) {
		foreach ( $plugin_items as $plugin ) {
			activate_plugin( $plugin );
		}
	}
 
	// Deactivate
	if ( 'deactivate' === $task ) {
		deactivate_plugins( $plugin_items );
	}
 
	// Uninstall
	if ( 'uninstall' === $task ) {
		delete_plugins( $plugin_items );

That is a big problem for security plugins, as even if they provided protection against other vulnerabilities in that plugin, if they could be disabled, that protection can be bypassed. Once we saw that, we started working on adding protection against that type of issue in our Plugin Vulnerabilities Firewall. That turned out to be relatively easy to do and that will be included in the next release of the plugin.

To make sure that we are providing the best protection possible, we wanted to see if other plugins already provided protection against this type of issue and how that protection compared to what we implemented. As detailed further below, the testing found that only two plugins provided protection against themselves being deactivated through that vulnerability. Those being NinjaFirewall and Shield Security.

Further testing showed that the protection was limited to blocking themselves from being disabled, so other plugins could still be disabled. We also found that they didn’t block themselves from being deleted. So none of the plugin could stop themselves from being disabled.

The protection we have implemented for our plugin limits any plugin from being deactivated by a vulnerability like this one and also blocks deletion of the plugins .

Testing Procedure

For each of the tested plugins, we set up an install of WordPress 5.8.2, installed version 7.06 of Directorist and installed the latest version of the security plugin. We tried to enable any feature of the plugin that could possibly have an impact on stopping exploitation of the vulnerability. We didn’t set up any additional service connected with the plugins.

We performed the exploit attempts logged in as a Subscriber. We first tested if we could deactivate the plugin and if we couldn’t do that, we tested if we could uninstall the plugin.

The 27 plugins we tested include the security plugins listed in the Popular plugins section of the Plugin Directory and some others that look to be intended or marketed to prevent this type of situation. If you would like to see an additional plugin included in future testing, please leave a comment on the post or contact us.

Results

Two of the plugins, NinjaFirewall and Shield Security, provided protection against having themselves deactivated. They didn’t stop themselves from being uninstalled. They also didn’t stop other plugins from being deactivated.

The full results are below: