Login

Tag Archives: Anti-Malware Security and Brute-Force Firewall

7 Jun 2022

Only Two WordPress Security Plugins Prevented Exploitation of Vulnerability in Security Plugin WP Cerber

Security plugins for WordPress are supposed to help protect websites from being hacked, but not only do most of them not do a good job of that, they often introduce security vulnerabilities of their own. Like most vulnerabilities in WordPress plugins, the security vulnerabilities in security plugins often are not too serious. That wasn’t the case with a vulnerability disclosed in February involving the security plugin WP Cerber, which has 200,000+ active installations according to WordPress.

The vulnerability, credited to Krzysztof Zając, allowed an attacker to cause malicious JavaScript to be loaded on one of the plugin’s admin pages. That is a type of vulnerability that hackers have been known to exploit. Troublingly, but in line with the plugin itself having such a serious vulnerability, the developer didn’t disclose in the changelog or their website that there had been a vulnerability or that it had been fixed. [Read more]

4 May 2022

Another Instance of Automattic Providing Misleading Information About Security of Competing WordPress Security Plugin

The company closely associated with WordPress, Automattic, has the most popular WordPress security plugin by installs, Jetpack. It has 5+ millions installs according to wordpress.org. Recently another piece of Automattic, WPScan claimed a competing plugin, All In One WP Security, which has 1+ million installs had contained a reflected cross-site scripting (XSS) vulnerability despite that vulnerability appearing to not exist. That isn’t the only recent instance of that happening.

Recently they claimed there had been a reflected cross-site scripting vulnerability in Anti-Malware Security and Brute-Force Firewall, which has 200,000+ installs. They wrote this (that is the whole sentence, they keep missing periods at the end of sentences): [Read more]

23 Nov 2021

No WordPress Security Plugin Stopped Exploitation of Vulnerability That Disables Them

Last week, GoDaddy’s web security subsidiary Sucuri released a strange post about some WordPress websites being hacked. The post discussed a situation involving what they confusingly described as both “bogus” and “legitimate” WordPress plugin. The plugin, Directorist, had multiple security vulnerabilities fixed the day before that post was released, which might explain the hacking being mentioned in the post. Though, Sucuri was attributing it to compromised login credentials, despite their post indicating they hadn’t done basic checking that should have been done before making that attribution.

While reviewing the changes being made to the plugin, we noticed that among the vulnerabilities fixed in that new version, 7.0.6.1, were ones that would have allowed an attacker logged in to WordPress to deactivate or delete arbitrary plugins. [Read more]

5 Oct 2021

WordPress Security Plugins Failed to Protect Against Arbitrary File Upload Vulnerability Using Raw POST Data

On September 23, exploit code for an arbitrary file upload vulnerability in the WordPress plugin 3DPrint Lite was disclosed. With that type of vulnerability, the question isn’t whether it will be exploited, but how long until it happens. By the next day, we were already seeing what looked to be hackers probing for usage of the plugin.

In looking over the vulnerable code, we noticed that there were two ways the data for the file being uploaded to be sent with exploit attempt. One of those ways was with a file sent with exploit attempt and the other by sending raw POST data that can be read in PHP from php://input: [Read more]

27 Sep 2021

WordPress Security Plugins Failed to Protect Against Vulnerability When Using Gutenberg Editor

In WordPress 5.0, which was released in December 2018, a new editor was introduced, known as the block editor or Gutenberg. In our latest test of WordPress security plugins to see if they can protect against vulnerabilities, we found no plugins provided protection against a vulnerability when exploited through that editor. Further testing confirmed that two of the plugins that would likely provide protection against that type of vulnerability did when using the Classic editor. The other plugins that would likely to provide protection didn’t provide protection even with Classic editor, but further testing confirmed that it also fails to provide the same protection with the Gutenberg editor that it would provide when using the Classic editor.

The type of vulnerability used in the test is being found in WordPress plugins quite often recently. It is an authenticated persistent cross-site scripting (XSS) vulnerability caused by a lack of proper security handling of shortcode attributes. That would allow an attacker to cause arbitrary JavaScript code to run on frontend pages of the website. These are not a serious issue, since the attacker would need be able to generate content that includes a shortcode, which would normally require access to a WordPress account that can create a post. Making those of more a concern though is that we have been finding recently that developers are failing in attempts to fix those, as we found, for example, with a plugin with 200,000+ installs. [Read more]

17 Aug 2021

NinjaFirewall Only WordPress Security Plugin to Provide Any Protection Against Exploitation of Unfixed Privilege Escalation Vulnerability

On July 22 a new version of the WordPress plugin uListing was released with a very concerning changelog entry:

  • fixed: Unauthenticated Privilege Escalation for Registration

In looking into that, we found that what that referred to involved restoring a security check that had been removed in an earlier version. That a security check existed and then was removed is a bad sign for the security of the plugin, but it gets worse. While looking into that, we found that the change only addressed part of the privilege escalation issue in the plugin and new version of the plugin didn’t otherwise address the other part. We contacted the developer the same day, asking how we could report that to them. They only got back to us on Friday, though hopefully that can be resolved soon. [Read more]

13 Aug 2021

Only Two WordPress Security Plugins Prevented Enabling User Registration Through Unfixed Option Update Vulnerability

As part of developing our upcoming firewall plugin for WordPress, we have implemented a feature to limit a hacker’s ability to exploit option update vulnerabilities. That is a type of vulnerability that allows a hacker to change arbitrary WordPress settings (options). This is a capability that has existed in the plugin NinjaFirewall for some time. Unfortunately, as we confirmed a couple of years ago, the developer overstated what was possible with it, claiming that it protected against the type of vulnerability, without qualification, when that wasn’t true. In reality, we found that it provided some protection, but not only was it limited in scope, it turned out the protection was easy to bypass by changing the option for the plugin’s settings, due possibly to protection not being fully thought through or due to offensive testing having not been done.

To make our feature as useful as possible, as many options that might be of interest to mass hackers as possible should be restricted being changed if the request to change them is not coming from a user with the manage_options capability. Finding out what existing security plugins were providing this type of protection would be helpful in doing that. Through our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities, we spotted an authenticated variant of that type of vulnerability in a plugin in May. That vulnerability still hasn’t been fixed as version 1.8.2.6, which was released yesterday. [Read more]

12 Aug 2021

Five WordPress Security Plugins Provide Some Protection Against Unfixed Reflected XSS Vulnerability in Plugin with 200,000+ Installs

Update: We originally incorrectly listed the plugin All In One WP Security & Firewall as not providing any protection, when in fact it did provide protection that was easily bypassed. We apologize for the mistake.

In the mess that is the current handling of security of WordPress plugins, many people rely and trust companies to provide them accurate information on vulnerabilities in plugins that they use, while the companies appear to have no concern if the information they provide is accurate. The ultimate source of their data is often a company named WPScan, which is well documented to not be concerned about the quality of their data. [Read more]

11 Aug 2021

Existing WordPress Security Plugins Fail to Protect Against PHP Object Injection Vulnerability

When we did testing several years back to see if WordPress security plugins could prevent the exploitation of vulnerabilities in other WordPress plugins, the results were not good. In one test, we found that only two plugins provided any protection, and that protection was easily bypassed. In another, we found only three provided any protection and only one of them had protection that couldn’t be easily bypassed. In another, we found no plugins provided protection despite one of them having supposed to have had protection and we later found that another one that was supposed to have later gained protection also didn’t provide protection.

Based on those results and later testing, what we saw was that there was a place for a firewall plugin as a piece of the security strategy for WordPress websites, but the existing options were not something we could recommend. We couldn’t recommend them not only due to the poor results, but because the developers of the plugins that provided the most protection were not being honest about what the plugins can and cannot accomplish (if you can’t trust a security company then you probably shouldn’t rely on them). That has led to us working on our own firewall plugin, which we plan on releasing soon. [Read more]

9 Aug 2021

Existing WordPress Security Plugins Fail to Provide Non-Bypassble Protection Against Easy to Stop WordPress Plugin Vulnerability

When we did testing several years back to see if WordPress security plugins could prevent the exploitation of vulnerabilities in other WordPress plugins, the results were not good. In one test, we found that only two plugins provided any protection, and that protection was easily bypassed. In another, we found only three provided any protection and only one of them had protection that couldn’t be easily bypassed. In another, we found no plugins provided protection despite one of them having supposed to have had protection and we later found that another one that was supposed to have later gained protection also didn’t provide protection.

Based on those results and later testing, what we saw was that there was a place for a firewall plugin as a piece of the security strategy for WordPress websites, but the existing options were not something we could recommend. We couldn’t recommend them not only due to the poor results, but because the developers of the plugins that provided the most protection were not being honest about what the plugins can and cannot accomplish (if you can’t trust a security company then you probably shouldn’t rely on them). That has led to us working on our own firewall plugin, which we plan on releasing soon. [Read more]