Amid Hacker Probing for WordPress Plugin BulletProof Security, New Vulnerability Discovered in It
Last week we saw what appears to be a hacker probing for usage of the WordPress plugin BulletProof Security. That is, as you might guess based on the name, a security plugin. It has 40,000+ active installations according to wordpress.org and is promoted as “The Ultimate Website Security”. The requests are looking for the plugin’s readme.txt file:
/wp-content/plugins/bulletproof-security/readme.txt
That’s a bit odd, as, with the latest version of the plugin installed, normally, access to that file is restricted.
So what might explain a hacker’s interest in the plugin?
One explanation would be exploitation of a previously disclosed vulnerability, but there hasn’t been a real vulnerability disclosed in the plugin in over a year. So that makes that less likely to be the explanation.
We did a quick check of the plugin to see if it had any easy to spot serious vulnerabilities, of the type that hackers are known to exploit. We didn’t find any of those, but did find that the plugin lacks basic security. In our testing, we found that it was disclosing sensitive information to those logged in to WordPress with low-level roles.
We also found a vulnerability in the plugin, as anyone logged in to WordPress could access functionality from its MScan malware scanner, despite that not being something they should be able to access. As detailed in a more technical post, that is caused by the code missing a couple of basic security checks.
That insecure code has been in the plugin since September 9, 2017, so it appears to have gone unnoticed by the developer and anyone else for five years. If security plugins are not getting basic security reviews, it isn’t hard to imagine that other plugins are not getting them, despite how much they could improve the security of WordPress plugins and WordPress websites.
Based on what we saw, it seems possible that there are additional issues that are harder to find, which a hacker could be interested in exploiting.
Normally, we would recommend not using a plugin when there is hacker probing and it is has known insecurity unless it has received a thorough security review and any issues addressed. In this case, a better option would be to replace this plugin with other security plugins. We say that because of a past run-in we had with the developer, which indicated that they, at best, lack a basic grasp of security.