One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing their plugins and others get them properly secured when alerted they haven’t done that. A smaller number of plugin developers either are unable or unwilling to properly secure their plugins. With the latter group, among the issues we have seen, are developers who have introduced new serious vulnerabilities that are substantially similar to vulnerabilities that they know have been exploited in their plugins.

In situations where we become aware of developers who have shown that inability or unwillingness to properly secure their plugin, we are releasing advisories to warn customers of our service and the wider WordPress community of the risk of utilizing those developers’ plugins. In addition to checking those posts on our website for information on those advisory, we provide access to the information in several other forms. That includes through the companion plugin for our service, even when not using the service, as well as through a web browser extension and through separate data accessible from our website.

The latest addition to our advisories involves a developer, Updraft, that has had a string of avoidable security problems across their million plus install plugins. One of those plugins is one of the most popular security plugins, All-In-One Security (AIOS). That plugin was a plugin that they acquired despite already having plenty of evidence that they were not able to properly handle the security of plugins. Another aspect of their acquisition of that plugin showed that they were not really grasping what security involves, which we will get to in a bit. But before that, we will touch on some examples of their problematic handling of security in just less than the last two years (the problems go back further than that).

Vulnerability Reintroduced Twice in UpdraftPlus

In November 2021, Updraft tried to fix a reflected cross-site scripting (XSS) vulnerability in the plugin UpdraftPlus. When we went to review the version that was supposed to have happened in, as one of our customers was using the plugin and there was a changelog indicating a vulnerability had been fixed, we were confused at first. What we first saw in the changes being made was that the type of vulnerability that was supposed to have been fixed had been introduced in that version. More checking showed that they had also removed an instance of it. After notifying them of that, the explanation we were given is that they accidentally left in debugging code.

The next month, almost the same exact thing happened again. Again, they were supposed to be fixing another reflected cross-site scripting (XSS) vulnerability, but introduced another instance of it. This time, they originally didn’t leave in the debugging code, but then added it in, thinking they were removing it.

An Improper Fix

In April 2022, a number of security fixes were made to All-In-One Security (AIOS) (then named All In One WP Security & Firewall). In reviewing that, we found that an improper fix had been made. Updraft had not added escaping to code that was outputting user input, as should be done. They had instead added sanitization in another location, which passed the user input to the function it was then output. This left open the possibility that the developer might again forget to add sanitization and open another vulnerability.

That a security plugin has vulnerabilities is a big red flag (though, unfortunately, not all that uncommon), but the improper fix was even more of a concern. In trying to address that with the developer of the plugin, we ran into another issue.

An Undisclosed Change of Ownership

When we attempted to contact the developer of All In One WP Security & Firewall about the improper fix, we got a strange response from the listed developer, which wasn’t Updraft:

We actually sold that plugin last year to another company. You can contact the new owners here:
https://updraftplus.com/

It turned out that Updraft had taken control of a plugin, but didn’t disclose that they were the owner for at least over three months. There is obvious security concern with ownership of a WordPress plugin changing hands, including a new owner adding malicious code or not handling security well and introducing serious vulnerabilities (neither of which is only a theoretical issue). Yet Updraft didn’t see an issue with not disclosing they had taken control of the plugin.

A Firewall They Haven’t Tested

In the firewall settings for All-In-One Security (AIOS), it is claimed that the “6G Blacklist is an updated and improved version of the 5G Blacklist”. Testing we have done has shown the 5G version provides more protection that the 6G version, even with a new implementation of 6G that Updraft introduced after they took over the plugin. It appears they don’t have a great understanding of what they are offering.

Basic Security Lacking in UpdraftPlus

In March of this year, we went to review yet another security change in UpdraftPlus, as at least one of our customers was using the plugin, which led to the discovery of a serious vulnerability caused by multiple failures of basic security. Here is how we described that at the time:

As at least one of our customers was using the plugin, we looked into the changes being made to try to understand if there was a vulnerability being fixed, which we should be warning about. We couldn’t quite tell if the relevant code is designed in a way to deal with a unique situation or if it still isn’t properly secured. It seems to be the former, though.

The code involved adding a basic security check to a AJAX accessible function. While reviewing that, we also checked other AJAX accessible functions for missing security checks and found that three of them lacked a capabilities check to limit access to them (one of them might not have been accessible, though). We notified the developer of that on Monday.

In the meantime, we had discovered another security issue related to the security change being made. The code added a nonce check, but we found that the nonce was available to anyone with access to the admin area of WordPress, instead of only Administrators. Once the developer got back to us on Tuesday, we notified them of that.

On Wednesday, they got back to us that they had found a more serious issue related to what we had contacted them about and they would fix that today. Based on the changes made today and their post today, what is a combination of the first issue we found along with another instance of the second issue, which we didn’t look into because we only were focused on looking into the original security change. That vulnerability allowed anyone with access to the admin area of WordPress to access functionality for UpdraftCentral.

More Basic Security Lacking in UpdraftPlus

In May, Updraft fixed another failure to protect against CSRF.

That and the previous issues are things that should have been caught by a security review of the plugin. That is something we had notified them we offer each time we contacted them about yet another issue. They never showed any interest in that and appear to have never hired someone else to do that either.

A Odd Idea of Trust

Instead of Updraft having an independent assessment of their plugins done, they are claiming you can trust All-In-One Security (AIOS) because the developer is trusted with backups:

It’s unclear what that is supposed to mean. Perhaps they are equating install count and trust. Whatever it is supposed to mean, it isn’t how trust in a security plugin should be measured.

Delayed Response

The latest issue with them again suggests that trusting them is a bad idea. For nearly two months, All-In-One Security (AIOS) was logging WordPress user passwords when they logged in to WordPress. This wasn’t intentionally and mistakes happen, but the response time was not acceptable. From what is publicly available, they knew about this for over two weeks before releasing a fix. It shouldn’t have taken even anywhere near that long to address this.

Avoid Updraft’s Plugins

What’s been going on with Updraft’s handling of security would be a big deal if they were just the developer of popular plugins, but they are also the developer of one of the most popular security plugins. They should have a better handle on security than other developers, not a worse handle than many other developers.

Worse still, as more issues come up, it doesn’t look to ever lead to a changing of their handling of security, so more issues are likely lurking in the plugins and more are likely to be introduced.

We would recommend avoiding their plugins, unless they can show that they have made significant changes to their handling of security.