Only Two WordPress Security Plugins Prevented Exploitation of Vulnerability in Security Plugin WP Cerber

Security plugins for WordPress are supposed to help protect websites from being hacked, but not only do most of them not do a good job of that, they often introduce security vulnerabilities of their own. Like most vulnerabilities in WordPress plugins, the security vulnerabilities in security plugins often are not too serious. That wasn’t the case with a vulnerability disclosed in February involving the security plugin WP Cerber, which has 200,000+ active installations according to WordPress.

The vulnerability, credited to Krzysztof Zając, allowed an attacker to cause malicious JavaScript to be loaded on one of the plugin’s admin pages. That is a type of vulnerability that hackers have been known to exploit. Troublingly, but in line with the plugin itself having such a serious vulnerability, the developer didn’t disclose in the changelog or their website that there had been a vulnerability or that it had been fixed.

We often see people asking developers of security plugins if their plugin can be used with other security plugins, so it wouldn’t be unusual to see multiple security plugins used on a website. The way the vulnerability is exploited involves a payload that security plugins should be able to protect against, but that doesn’t mean they will, considering the poor results they have provided in other testing we have done. So we went ahead and tested things out.

The results were not good. Only three plugins provided protection against the proof of concept provided with the disclosure of the vulnerability. Of those three, the protection from one was bypassable with a minor change to the proof of concept. The failure of some plugins to provide protection surprised us enough for us to double check the results to confirm they didn’t provide protection.

Only one very popular plugin, All In One WP Security & Firewall, which has 1+ million active installations, provided protection. Notably, among the million install or more plugins that didn’t provide protection is Wordfence Security plugin, which is the most popular security specific plugin and is marketed as being to protect against this type of vulnerability.

The only other plugin to provide protection was our firewall plugin.

Testing Procedure

For each of the tested plugins, we set up an install of WordPress 6.0, installed version 8.9.5.2 of WP Cerber and installed the latest version of the security plugin (other than when testing WP Cerber itself). We tried to enable any feature of the plugin that could possibly have an impact on stopping exploitation of the vulnerability. We didn’t set up any additional service connected with the plugins.

We used the proof of concept provided in the disclosure of the vulnerability in the exploit attempts.

For any plugins that provided protection against the proof of concept, we then tried to bypass the protection using black box testing. That is, without looking at the plugin’s code or otherwise information not available from the outside.

The 31 plugins we tested include the security plugins listed in the Popular plugins section of the Plugin Directory and some others that look to be intended or marketed to prevent this type of situation. If you would like to see an additional plugin included in future testing, please leave a comment on the post or contact us.

Results

Only three plugins provided protection against the proof of concept: All In One WP Security & Firewall, BulletProof Security, and our Plugin Vulnerabilities Firewall.

With BulletProof Security, we found that by simply specifying a user agent with the exploit attempt, the exploit attempt was no longer blocked. That is because what was causing a block was the CURL user agent, not the malicious payload.

The full results are below:

All In One WP Security & Firewall

WordPress.org Plugin Directory page
Active Installs: 1+ Million
Version Tested: 4.4.12

Result: Prevented exploitation.