Login

Tag Archives: All In One WP Security & Firewall

13 Aug 2021

Only Two WordPress Security Plugins Prevented Enabling User Registration Through Unfixed Option Update Vulnerability

As part of developing our upcoming firewall plugin for WordPress, we have implemented a feature to limit a hacker’s ability to exploit option update vulnerabilities. That is a type of vulnerability that allows a hacker to change arbitrary WordPress settings (options). This is a capability that has existed in the plugin NinjaFirewall for some time. Unfortunately, as we confirmed a couple of years ago, the developer overstated what was possible with it, claiming that it protected against the type of vulnerability, without qualification, when that wasn’t true. In reality, we found that it provided some protection, but not only was it limited in scope, it turned out the protection was easy to bypass by changing the option for the plugin’s settings, due possibly to protection not being fully thought through or due to offensive testing having not been done.

To make our feature as useful as possible, as many options that might be of interest to mass hackers as possible should be restricted being changed if the request to change them is not coming from a user with the manage_options capability. Finding out what existing security plugins were providing this type of protection would be helpful in doing that. Through our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities, we spotted an authenticated variant of that type of vulnerability in a plugin in May. That vulnerability still hasn’t been fixed as version 1.8.2.6, which was released yesterday. [Read more]

12 Aug 2021

Five WordPress Security Plugins Provide Some Protection Against Unfixed Reflected XSS Vulnerability in Plugin with 200,000+ Installs

Update: We originally incorrectly listed the plugin All In One WP Security & Firewall as not providing any protection, when in fact it did provide protection that was easily bypassed. We apologize for the mistake.

In the mess that is the current handling of security of WordPress plugins, many people rely and trust companies to provide them accurate information on vulnerabilities in plugins that they use, while the companies appear to have no concern if the information they provide is accurate. The ultimate source of their data is often a company named WPScan, which is well documented to not be concerned about the quality of their data. [Read more]

11 Aug 2021

Existing WordPress Security Plugins Fail to Protect Against PHP Object Injection Vulnerability

When we did testing several years back to see if WordPress security plugins could prevent the exploitation of vulnerabilities in other WordPress plugins, the results were not good. In one test, we found that only two plugins provided any protection, and that protection was easily bypassed. In another, we found only three provided any protection and only one of them had protection that couldn’t be easily bypassed. In another, we found no plugins provided protection despite one of them having supposed to have had protection and we later found that another one that was supposed to have later gained protection also didn’t provide protection.

Based on those results and later testing, what we saw was that there was a place for a firewall plugin as a piece of the security strategy for WordPress websites, but the existing options were not something we could recommend. We couldn’t recommend them not only due to the poor results, but because the developers of the plugins that provided the most protection were not being honest about what the plugins can and cannot accomplish (if you can’t trust a security company then you probably shouldn’t rely on them). That has led to us working on our own firewall plugin, which we plan on releasing soon. [Read more]

9 Aug 2021

Existing WordPress Security Plugins Fail to Provide Non-Bypassble Protection Against Easy to Stop WordPress Plugin Vulnerability

When we did testing several years back to see if WordPress security plugins could prevent the exploitation of vulnerabilities in other WordPress plugins, the results were not good. In one test, we found that only two plugins provided any protection, and that protection was easily bypassed. In another, we found only three provided any protection and only one of them had protection that couldn’t be easily bypassed. In another, we found no plugins provided protection despite one of them having supposed to have had protection and we later found that another one that was supposed to have later gained protection also didn’t provide protection.

Based on those results and later testing, what we saw was that there was a place for a firewall plugin as a piece of the security strategy for WordPress websites, but the existing options were not something we could recommend. We couldn’t recommend them not only due to the poor results, but because the developers of the plugins that provided the most protection were not being honest about what the plugins can and cannot accomplish (if you can’t trust a security company then you probably shouldn’t rely on them). That has led to us working on our own firewall plugin, which we plan on releasing soon. [Read more]

17 Jun 2019

Even WordPress Security Plugin With 800,000+ Installs Is Failing To Do Proper Security Checks

To make sure we are providing customers of our service with the best data on vulnerabilities in WordPress plugins they may be using we do various monitoring. One of the things we do is monitor our websites and third-party data for indications that plugins are being targeted by hackers. That leads to us noticing plenty of up to that point publicly undisclosed vulnerabilities in plugins that hackers probably are already aware of and are likely already targeting. But what also gets pulled in with that frequently are what look to be hackers trying to access malicious files that hackers have placed on other websites that happened to be in the directories of WordPress plugins. What looks to be a recent example of that involved sending a request to:

/wp-content/plugins/all-in-one-wp-security-and-firewall/other-includes/bkrijilt.php [Read more]

16 Dec 2016

No WordPress Security Plugin Prevented Exploitation of Unfixed Arbitrary File Upload Vulnerability in Popular Plugin

When it comes to the chances of vulnerabilities being exploited the reality is that many types of vulnerabilities are highly unlikely to have anyone even try to exploit them. Unfortunately far too often we see security companies and the press making a big deal of vulnerabilities that are are of little to no threat, while ignoring vulnerabilities and broader security issues that are leading to websites being hacked (that lead us to providing information on likelihood that a vulnerability is to be exploited to the data for our service). When it comes to types that are likely to be exploited, the arbitrary file upload vulnerability, which allows a hacker to upload files of any kind to a website, is probably the one with the most exploit attempts and also then ends up leading to the most websites being hacked. So if a WordPress security plugin is going to protect against any type of vulnerability this seems like this is the one you would most want it to be able protect against.

Back in September we tested out security plugins against this type of vulnerability and the results were not good. Of the 12 plugins tested only 3 provided any protection. The protections 2 of them provide was easily bypassed for this particular vulnerability and the remaining plugin’s protection also meant that Editor level and below users could not upload files either. [Read more]

17 Nov 2016

Even Security Plugin Mislabels Vulnerability as Less Concerning Potential Vulnerability

Nearly two years ago we looked over the vulnerabilities that were in our data set at the time to get a better understanding of how often security fixes are left out of the changelog entries for the version of the WordPress plugin that fixed it. We found that nearly 20 percent of the time no mention was made of a vulnerability being fixed (that included one instance were the vulnerability was being exploited before it was fixed). That is a good reminder that you really need to be keeping your plugin update at all times since there is good chance you won’t know that an update includes a security fix.

Vulnerabilities fixes being left out of the changelogs is not the only issue with getting accurate information from the changelogs. We also find that sometimes vulnerabilities are incorrectly describe as possible or potential vulnerabilities. In the previously mentioned analysis we also found that  15 percent of the vulnerabilities were inaccurately labeled as either being a possible or potential vulnerability. A possible or potential vulnerability would accurarelty refer to a situation where there is code that isn’t properly secured but there isn’t a known way to exploit that code. For example, a plugin might have a database query that isn’t properly secured against SQL injection but no one who looked at the issue figured out how to get malicious code passed to the query. That obviously isn’t as much concern as a vulnerability that is known to be exploitable and depending on security requirement in an organization that may alter the amount of post disclosure checking that needs to be done. [Read more]

14 Nov 2016

Developer Of WordPress Security Plugin Thinks Its Normal For Security Plugins to be Insecure

When it comes to the poor state of security one of the big problems is that instead of addressing the causes of that poor security, the focus is often on pushing security products, which are often of limited use and when it comes to WordPress plugins, are known to introduce their own security vulnerabilities.

The lack of addressing the causes isn’t due to the causes being hard to find or understand. Take for instance what happened after Apple failed to put out a security update for their Java implementation for the Mac OS in a timely manner back in 2012. Oracle released the security update for Java in February, but it wasn’t until April that Apple released an updated version of their implementation, which was after attackers started using one of the vulnerabilities to get malware on Macs. So you had a clear issue, that Apple was not releasing security updates in a timely manner, and also the broader issue of the responsibility of software makers to release security updates for their software. While that didn’t go unmentioned, much of the coverage was how Macs needed anti-virus software. That was even though anti-virus software doesn’t fix the underlying issues, it instead tries to detect malicious code that would exploit the underling issue, which is rather difficult to accomplish (especially versus fixing known vulnerabilities). If the underlying cause had been the focus back then maybe things would have changed and you wouldn’t have the problem with many smartphones in use that are not (and in some cases never) receiving security updates. [Read more]

26 Sep 2016

No WordPress Security Plugins Protected Against Recently Disclosed Vulnerability That Exposes WooCommerce Order Data

Recently we started testing to see what protection WordPress security plugins provide against vulnerabilities in other plugins (since plugins vulnerabilities are an actual source of websites being hacked, unlike some other things that these plugins make a big deal or providing protection against). The first vulnerability we tested could be used for serving up malware on a website and the second could give an attacker control over the website. Both of those are types of vulnerabilities that are the kind that are often thought of when discussing the security of websites, for example the very popular Wordfence plugin is advertised as “protecting your website from hacks and malware”. Not every security issue though falls into those categories. As you can guess from the name, an information disclosure vulnerability involves the disclosure of information that isn’t intended to be public and those can be a serious issue. For example, if you run an eCommerce you wouldn’t want your customers’ details to be accessible by the public.

WooCommerce is an popular eCommerce plugin for WordPress, which has over 1+ million active installs according to wordpress.org (we use it on this website). There are numerous plugins that expand on its functionality. The security of those isn’t always good. Among the issue we have found in some of those plugins this year were two arbitrary file upload vulnerabilities and a vulnerability that allowed changing the price of products. Recently David Peltier discovered that the plugin Order / Coupon / Subscription Export Import Plugin for WooCommerce (BASIC) had an information disclosure vulnerability that allowed anyone to get a copy of the orders made through WooCommerce on the website. Including in that is not only the details of the order, but the customer’s details, including address and email adress. That vulnerability has now been fixed. [Read more]

22 Sep 2016

Only One WordPress Security Plugin Fully Protected Against a Recently Disclosed Arbitrary File Upload Vulnerability

Last week we did our first test to see what protection that WordPress security plugins can provide against the exploitation of the vulnerabilities in plugins. The results for a persistent cross-site scripting (XSS) vulnerability were not good, with only 2 of the 11 plugins tested providing any protection and even the protection in those two was easily bypassed.

Earlier this week we disclosed a set of arbitrary file upload vulnerabilities in four plugins by the same developer. While these vulnerabilities are of the type that are likely to be exploited (you can now know how likely vulnerabilities are to be exploited with our service), after we contacted the developer, they took two weeks to fix one and the other three have yet to be fixed two months later. That shows a couple of the problems with being able to protect against plugin vulnerabilities at this time, one being that vulnerabilities are not fixed in a timely manner and the other being that simply keeping you plugins up to date will not protect you. [Read more]