Login
30 Jul 2024

Hacker Targeting Vulnerability That Was in Shield Security WordPress Plugin

Last week, our own WordPress firewall plugin blocked an attempt to exploit a vulnerability in another security plugin, Shield Security. On the one hand, that should be shocking. A security plugin with a security vulnerability serious enough that a hacker would try to exploit it. On the other hand, the developers of most WordPress security plugins have little concern with security. The developer of this plugin, for example, didn’t care enough to make sure it’s firewall actually works at all. If the firewall worked well, the issue couldn’t even be exploited.

Here is what was logged when the hacking attempt was blocked:

That attempt was blocked due to directory traversal, which in this case is the “../../” in part of the POST input sent with the request. That would allow a file operation to change the directory a specified filename would come from for various file operations.

Based on the information provided with the logging for the block, this appeared to be an attempt to exploit a local file inclusion (LFI) vulnerability in the plugin Shield Security. The changelog for the plugin indicates the developer fixed that type of vulnerability in version 8.5.10. There were mentions of three other vulnerabilities fixed in the plugin in the last year.

The discoverer of the vulnerability sold the vulnerability to a company that then sells information on how to exploit vulnerabilities to any hackers before notifying developers, so we are avoiding crediting either of them. The security provider also failed to note that the vulnerability stop being exploitable in the way they claim it was, a month before they claimed to know about it, so it appears they didn’t properly vet things.

Also problematic here is that the security provider claims their firewall protects against exploitation, but the specified protection doesn’t actually have an impact on exploitation in the version that existed once they became aware of the vulnerability. Our own firewall protects in both cases.

Looking for Trustworthy Security Plugins?

We are trying to help others better understand what security plugins are trustworthy with our new Plugin Security Scorecard, which grades plugins on their handling of security. That includes lowering the grades for security plugins that are misleading people about the security the plugins provide. You can compare the results for all security plugins, all-in-one security plugins, and firewall plugins that have been checked. We have more improvements coming that will help to better differentiate trustworthy security plugins.

Related posts:

  1. Hacker Targeting Incompletely Fixed Vulnerability in WordPress Plugin YITH WooCommerce Ajax Search
  2. Hackers Still Targeting Fake Vulnerability in WordPress Plugin Wordfence Security 4 Years On

Plugin Security Scorecard Grade for Shield Security

Checked on January 19, 2025
F

See issues causing the plugin to get less than A+ grade

Leave a Reply

Your email address will not be published. Required fields are marked *