Login

WordPress Plugin Vulnerability News

24 Jan 2025

New Insecure WordPress Plugin Marketed With Fake Norton Secured and (Retired) McAfee SECURE Security Seals

Yesterday, we reported on a new plugin from a WordPress plugin developer Brainstorm Force with a long track record of poor security, unsurprisingly was also insecure. One thing that we noticed while looking into that is on the homepage for that new plugin, SureDash, was that midway down the page, there are a couple security seals, Norton Secured and McAfee SECURE, around the logo for PayPal:

[Read more]

24 Jan 2025

WordPress Plugin Review Team Reviews Failing to Catch Basic Security Failure (Including in a Plugin From the Team’s Security Reviewer)

At the end of last year, one of the team reps for the team running the WordPress plugin directory provided an assessment on what the team had been up to. It incredulously credited one past member of the team for a “magnificent legacy” of a scanner tool, despite it being no secret that person had blocked efforts for years to improve the team’s scanner tool (and more generally blocked efforts to address the problems they were causing). Beyond that, it made repeated claims about the team’s handling of security, including this in the first paragraph:

Throughout this time, we remained focused on our primary goals: enhancing security, improving the review process, and fostering community engagement. [Read more]

23 Jan 2025

New Plugins From Awesome Motive and Brainstorm Force Continue Developers’ Failure to Implement Basic Security

We release advisories warning about WordPress plugin developers who have a repeated track record of failing to handle security well. A reasonable question to ask is if a backward-looking determination is helpful or if past is not prologue with that. A week ago, we looked at an example of a developer continuing to fail that we ran across. This week we ran across another test of this, as two developers we have released advisories for have new plugins available in the WordPress Plugin Directory.

Awesome Motive

For one of those developers, Awesome Motive, we just issued our advisory on December 11. Nine days later, they introduced the plugin WPConsent to the WordPress Plugin Directory. The issue that led to us finally issuing that advisory was a continued failure to address AJAX accessible functions lacking a capability check in the 6+ million install plugin WPForms, even after fixing a vulnerability caused by that. That is really basic security, so a major plugin developer shouldn’t be failing on that front. Yet it also is the case with WPConsent. [Read more]

22 Jan 2025

Plugin That Patchstack Is Claimed to Ensure Is Secure Contains an Additional Outdated Known Insecure Library

Last week we talked about two popular WordPress plugins that had been run through our Plugin Security Scorecard and identified as containing a rather out of date version of third-party libraries, which according to the libraries developers, contained a security issue. The libraries in question were different in the plugins, but it turns out they also have another library in common, where they are both using outdated known insecure versions. One of those is the 1+ million install SVG Support, where someone reported to the developer at the end of October that it was also using an outdated and known insecure version of the library DOMPurify. There still hasn’t been an update to the plugin to address that. More people have been reporting that issue. After seeing that, we started looking in to adding a check for DOMPurify to our Plugin Security Checker. Through that, we found a couple of fairly popular plugins are also still using older versions that the developer of the library is insecure.

We contacted the developer of one of those yesterday to let them know about the problem. The version they are using is subject to issues that were publicly disclosed by the developer of the library in September and October. There are not any topics on the support forum for the plugin about that, which is interesting considering the other plugin had multiple people reported it to the developer. [Read more]

22 Jan 2025

WordPress Plugins Can Include a Lot of Software That the Plugin’s Developer Doesn’t Have Any Connection To

How much do you consider a WordPress plugin developer’s handling of security of their plugins when choosing to use or not use a plugin? Probably not much, considering even if you wanted to, your access to information to make an informed assessment is limited. That is also backed up by the popularity of plugins from developers that have long track records of very public indifference, at best, to security. Depending on the plugin, you have to be worried about not just their handling of security, but the handling of security by developers of third-party libraries that are included in their plugin.

The amount of third-party in some plugins has surprised us. As part of working on our Plugin Security Scorecard since last year, we have been expanding the amount of libraries it can provide information on and warnings when there are publicly known security issues. A few days ago, the security plugin Shield Security was run through the tool again and more libraries were flagged to be included in our data set. There were 5 more libraries in for us to see about adding, that is on top of the 47 that were included in our dataset that are in the plugin. That is a lot of third-party software being included in a plugin originally called WordPress Simple Firewall. [Read more]

17 Jan 2025

Two-Factor Authentication (2FA) Won’t Stop an Attacker From Using Their Own WordPress Account to Engage in Malicious Activity

Two-Factor Authentication (2FA) Won’t Stop an Attacker From Using Their Own WordPress Account to Engage in Malicious ActivityTwo-factor authentication (2FA) can be useful for securing WordPress websites in certain circumstances, but it is often touted as being useful for things it isn’t needed for or capable of helping with. We often see it claimed that people should use it to protect against brute-force attacks against WordPress admin passwords. That is, despite those attacks continuing to not happen. Using a 2FA when you don’t need to can even create vulnerabilities that would allow an attacker access to your website, so understanding what it can and can’t do is important.

Another place 2FA isn’t the solution for is when an attacker is using their own WordPress account. That was part of the advice with a recent claim of a malware campaign against WordPress websites. The source for that was claiming that the hacker would cause a new WordPress account with the Administrator role to be created. They did that by causing someone already logged in as Administrator to make that happen without them taking any action. The source was then suggesting implementing 2FA to stop the attacker. [Read more]

16 Jan 2025

1+ Million Install WordPress Plugin Has Been Using an Outdated Known Insecure Version of a Library For Nearly 3 Years

Last year we created the Plugin Security Scorecard tool to help the WordPress community to have a better understanding of the security of plugins and hopefully to get better practices more widely implemented. As part of our work on that, we have been continuing to expand its capability to identify when plugins are using outdated and known insecure/vulnerable third-party libraries. That capability either doesn’t exist elsewhere in the community or isn’t being used. That is highlighted with a plugin that was checked through the plugin today.

The plugin checked was the 1+ million install plugin SVG Support, which had several issues identified: [Read more]

16 Jan 2025

Developer of 1+ Million Install WordPress Plugin Hasn’t Addressed All Known Vulnerabilities Despite Making That Claim

We release advisories warning about WordPress plugin developers who have a repeated track record of failing to handle security well. A reasonable question to ask is if a backward-looking determination is helpful or if past is not prologue with that. We ran across an example where the problem with a developer has continued. It also suggests that a developer who isn’t making sure to mark their plugins compatible might have additional issues. And finally, the situation is a reminder that you can’t rely on plugin developers to give you accurate information on the security of their plugin.

A post from earlier this month on the support forum of the 1+ million install plugin WP File Manager was asking about compatibility with WordPress 6.7. The plugin had not been marked to be compatible with that version despite it being released in November. Someone from the developer responded that “Although the documentation currently lists compatibility up to WordPress 6.6.2, rest assured that the plugin has been tested and is fully functional with newer releases, including WordPress 6.7.1.” WordPress sends out an email ahead of new releases asking for developers to test and then mark their plugins compatible. So the failure to do that is somewhat concerning. [Read more]

15 Jan 2025

WordPress Security Header Plugins Still Claiming to Provide Protection With Headers That Web Browsers Long Ago Stopped Supporting

In looking into complaints about the search functionality of the WordPress Plugin Directory recently, a common complaint we saw is that new plugins don’t get promoted. As part of an alternative search functionality we have been putting together, we decided to try to address that in part by including a new plugin after the first ten results for queries. When doing a search on “security,” that currently highlights a security headers plugin:

[Read more]