Login
24 Jan 2025

New Insecure WordPress Plugin Marketed With Fake Norton Secured and (Retired) McAfee SECURE Security Seals

Yesterday, we reported on a new plugin from a WordPress plugin developer Brainstorm Force with a long track record of poor security, unsurprisingly was also insecure. One thing that we noticed while looking into that is on the homepage for that new plugin, SureDash, was that midway down the page, there are a couple security seals, Norton Secured and McAfee SECURE, around the logo for PayPal:

[Read more]

24 Jan 2025

WordPress Plugin Review Team Reviews Failing to Catch Basic Security Failure (Including in a Plugin From the Team’s Security Reviewer)

At the end of last year, one of the team reps for the team running the WordPress plugin directory provided an assessment on what the team had been up to. It incredulously credited one past member of the team for a “magnificent legacy” of a scanner tool, despite it being no secret that person had blocked efforts for years to improve the team’s scanner tool (and more generally blocked efforts to address the problems they were causing). Beyond that, it made repeated claims about the team’s handling of security, including this in the first paragraph:

Throughout this time, we remained focused on our primary goals: enhancing security, improving the review process, and fostering community engagement. [Read more]

23 Jan 2025

New Plugins From Awesome Motive and Brainstorm Force Continue Developers’ Failure to Implement Basic Security

We release advisories warning about WordPress plugin developers who have a repeated track record of failing to handle security well. A reasonable question to ask is if a backward-looking determination is helpful or if past is not prologue with that. A week ago, we looked at an example of a developer continuing to fail that we ran across. This week we ran across another test of this, as two developers we have released advisories for have new plugins available in the WordPress Plugin Directory.

Awesome Motive

For one of those developers, Awesome Motive, we just issued our advisory on December 11. Nine days later, they introduced the plugin WPConsent to the WordPress Plugin Directory. The issue that led to us finally issuing that advisory was a continued failure to address AJAX accessible functions lacking a capability check in the 6+ million install plugin WPForms, even after fixing a vulnerability caused by that. That is really basic security, so a major plugin developer shouldn’t be failing on that front. Yet it also is the case with WPConsent. [Read more]

23 Jan 2025

Our Plugin Security Scorecard Now Supports Checking ClassicPress Plugins

While the WordPress fork ClassicPress has gotten renewed attention with what has been going on with WordPress recently, we have had efforts related to the security of its plugins for years. Back in 2021, we started doing proactive monitoring to try to catch serious vulnerabilities in plugins that were in the ClassicPress plugin directory. Alongside that, we ran the plugins through our Plugin Security Checker, which leads to us detecting a less serious vulnerability. The developer promptly fixed the issue, which isn’t something we can say that often with WordPress plugin.

Last year we introduced a new tool, the Plugin Security Scorecard, which seeks to provide a better understanding of the security of WordPress plugins, as well as promote developers implementing better security practices. The tool continues to highlight the poor state of even some of the most popular WordPress plugins. Last week, for example, a 1+ million install plugin was run through the tool and found to contain a version of a third-party library that had been know to be insecure for nearly three years. [Read more]

22 Jan 2025

Plugin That Patchstack Is Claimed to Ensure Is Secure Contains an Additional Outdated Known Insecure Library

Last week we talked about two popular WordPress plugins that had been run through our Plugin Security Scorecard and identified as containing a rather out of date version of third-party libraries, which according to the libraries developers, contained a security issue. The libraries in question were different in the plugins, but it turns out they also have another library in common, where they are both using outdated known insecure versions. One of those is the 1+ million install SVG Support, where someone reported to the developer at the end of October that it was also using an outdated and known insecure version of the library DOMPurify. There still hasn’t been an update to the plugin to address that. More people have been reporting that issue. After seeing that, we started looking in to adding a check for DOMPurify to our Plugin Security Checker. Through that, we found a couple of fairly popular plugins are also still using older versions that the developer of the library is insecure.

We contacted the developer of one of those yesterday to let them know about the problem. The version they are using is subject to issues that were publicly disclosed by the developer of the library in September and October. There are not any topics on the support forum for the plugin about that, which is interesting considering the other plugin had multiple people reported it to the developer. [Read more]

22 Jan 2025

WordPress Plugins Can Include a Lot of Software That the Plugin’s Developer Doesn’t Have Any Connection To

How much do you consider a WordPress plugin developer’s handling of security of their plugins when choosing to use or not use a plugin? Probably not much, considering even if you wanted to, your access to information to make an informed assessment is limited. That is also backed up by the popularity of plugins from developers that have long track records of very public indifference, at best, to security. Depending on the plugin, you have to be worried about not just their handling of security, but the handling of security by developers of third-party libraries that are included in their plugin.

The amount of third-party in some plugins has surprised us. As part of working on our Plugin Security Scorecard since last year, we have been expanding the amount of libraries it can provide information on and warnings when there are publicly known security issues. A few days ago, the security plugin Shield Security was run through the tool again and more libraries were flagged to be included in our data set. There were 5 more libraries in for us to see about adding, that is on top of the 47 that were included in our dataset that are in the plugin. That is a lot of third-party software being included in a plugin originally called WordPress Simple Firewall. [Read more]

17 Jan 2025

Two-Factor Authentication (2FA) Won’t Stop an Attacker From Using Their Own WordPress Account to Engage in Malicious Activity

Two-Factor Authentication (2FA) Won’t Stop an Attacker From Using Their Own WordPress Account to Engage in Malicious ActivityTwo-factor authentication (2FA) can be useful for securing WordPress websites in certain circumstances, but it is often touted as being useful for things it isn’t needed for or capable of helping with. We often see it claimed that people should use it to protect against brute-force attacks against WordPress admin passwords. That is, despite those attacks continuing to not happen. Using a 2FA when you don’t need to can even create vulnerabilities that would allow an attacker access to your website, so understanding what it can and can’t do is important.

Another place 2FA isn’t the solution for is when an attacker is using their own WordPress account. That was part of the advice with a recent claim of a malware campaign against WordPress websites. The source for that was claiming that the hacker would cause a new WordPress account with the Administrator role to be created. They did that by causing someone already logged in as Administrator to make that happen without them taking any action. The source was then suggesting implementing 2FA to stop the attacker. [Read more]

16 Jan 2025

1+ Million Install WordPress Plugin Has Been Using an Outdated Known Insecure Version of a Library For Nearly 3 Years

Last year we created the Plugin Security Scorecard tool to help the WordPress community to have a better understanding of the security of plugins and hopefully to get better practices more widely implemented. As part of our work on that, we have been continuing to expand its capability to identify when plugins are using outdated and known insecure/vulnerable third-party libraries. That capability either doesn’t exist elsewhere in the community or isn’t being used. That is highlighted with a plugin that was checked through the plugin today.

The plugin checked was the 1+ million install plugin SVG Support, which had several issues identified: [Read more]

16 Jan 2025

How Not to Defend Yourself Against the Latest WordPress Malware Attack

Yesterday, as part of an odd series of stories about a malware campaign claimed to be connected to WordPress, the news outlet Make Use Of, which is included in Google News, ran a story titled “How to Defend Yourself Against the Latest WordPress Malware Attack.” It was an odd title since the original source of the claims about this has admitted they don’t know how the malware is getting on the websites. The story started this way:

As one of the most popular website builders in the world, WordPress has yet again become a target for malware. Though security researchers are still trying to work out how certain sites became infected, there are ways to check if your WordPress site is one of the victims, and to defend against any imminent attacks. [Read more]