WordPress Firewall Plugins Lack Protection Against Arbitrary User Deletion Vulnerabilities

Last week, we ran across a vulnerability in a WordPress plugin that would allow an attacker to delete all the website’s WordPress user accounts, which would be nasty if exploited by an attacker. The ability to easily exploit the vulnerability involves, in part, a known bypass of WooCommerce’s security that hasn’t been addressed. The developer of WooCommerce, Automattic, has told us they are “aware of this and working on a fix to mitigate this issue”, though no timeline has been put forward for that (or clear information on how long they have been aware of that).

A way to help prevent this type of vulnerability from being exploited would be to use a WordPress firewall plugin that protects against non-Administrators being able to delete arbitrary WordPress users through a vulnerability like that. That is something we implemented in our own firewall plugin after running across the vulnerability. As part of adding that protection, we updated our regression testing software to make sure that the protection continues to work as we make additional changes to the plugin (the developer of one security plugin doesn’t appear to do that type of regression testing at all).

Adding checks for that to our regression testing also means we can easily test if other WordPress firewall plugins include protection against that type of issue. Considering that most WordPress firewall plugins lack easy to implement protection for even widely exploited vulnerability types, it seemed unlikely they would have protection against a less common issue like this. That turned out to be the result, as all 16 firewall plugins we tested failed to provide protection against this type of vulnerability. The tested plugins are listed below (other WordPress security plugins were not tested since they don’t have a firewall capability that could possibly provide protection).

With our firewall plugin, it was easy to implement protection for this, as we already have protection against vulnerabilities that allow deletion of other WordPress data. With other firewall plugins that don’t have that type of protection, it would be more work, but it still wouldn’t be too difficult to implement protection.

WordPress Firewall Plugins That Don’t Include Arbitrary User Deletion Protection

- All-In-One Security (AIOS)
- Anti-Malware Security and Brute-Force Firewall
- BBQ Firewall
- BitFire
- Bulletproof Security
- Hide My WP Ghost
- Hide My WP
- IP Location Block
- NinjaFirewall
- Pareto Security
- RSFirewall!
- SecuPress
- Shield Security
- Web Application Firewall
- Wordfence Security
- WP Security Safe