Login

Tag Archives: Duplicator

16 Nov 2023

1+ Million Install WordPress Plugin Duplicator Hardening Update Actually Fixes CSRF Vulnerability

One step that WordPress could do to make it easier to see if updates to WordPress plugins are supposed to have fixed security issues would be to require developers to include their changelog in the plugin’s listing on the WordPress Plugin Directory. Right now that isn’t the case, so you have plugins, including the 1+ million install plugin Duplicator, which require you go elsewhere to check it. That also makes it harder to flag possible security updates in an automated fashion. As at least one of our customers uses that plugin, a monitoring system we have checks to see if the changelog has been updated. Today that alerted us to an update, which has this changelog: “[FIX] Implemented hardening for the plugin recommended by Dmitrii Ignatyev from Cleantalk”. Checking on the changes, we found that isn’t exactly an accurate description. As the hardening, as they put it, fixed a cross-site request forgery (CSRF) vulnerability.

That lack of clarity brings up another improvement that WordPress could make. A clear requirement as to how developers should disclose in the changelog that security issues being fixed in their plugins. It isn’t uncommon to find developers not disclosing security fixes at all or doing so in a way that you wouldn’t realize it was a security fix, as was twice the case with the same vulnerability in WooCommerce. [Read more]

21 Sep 2018

Threatpost Fails to Properly Vet Sources, Leading to Spreading Inaccurate Information about Vulnerability Created by Duplicator

On Monday we discussed how the security company Sucuri showed that they lack an even basic understanding of security through a post they had written about a vulnerability created by the WordPress plugin Duplicator, which they clearly didn’t understand. What we also noted is that while their lack of security knowledge isn’t some new development, it is something that doesn’t appear to be well known. Part of the reason for that is that security journalists don’t seem to be interested in doing actual journalism and instead often act as stenographers for terrible security companies, so instead of shedding light on the bad practices of Sucuri and other similar companies (there are lots of them), they are often promoting them. Shortly after we posted that, a Google alert notified us of an article by Threatpost discussing the vulnerability, which was sourced to none other than Sucuri. That article is titled “Old WordPress Plugin Being Exploited in RCE Attacks”.

What seems to be the most problematic with the Threatpost’s article is this claim, which is repeated from Sucuri: [Read more]

17 Sep 2018

Sucuri Doesn’t Understand the Recently Disclosed Vulnerability Created by Duplicator (or Security in General)

The reputation of security companies is often very different than the reality. One company that seems to have a good reputation is Sucuri. That is despite everything we have seen over many years indicating they really lack even a basic understanding of security (we wish that were a gross exaggeration). We once again were reminded of that by something that popped up in the monitoring we do to keep track of vulnerabilities in WordPress plugins, which involved a repost of a recent Sucuri blog post.

The Sucuri blog post is titled “Outdated Duplicator Plugin RCE Abused”. [Read more]

7 Sep 2018

Wordfence Security Doesn’t Protect Against Exploited Vulnerability (or Finding a Balance When it Comes To Detailing Vulnerabilities)

One of the ways we work to make sure we have the best information on vulnerabilities in WordPress plugins for our customers is to monitor the WordPress Support Forum. Through that we came across a couple of threads yesterday that involved exploitation of a vulnerability connected to the plugin Duplicator (and yet another example of the incredibly bad handling of the discussion of security by the moderators of that forum and inability for them to be willing to have a discussion to avoid those problems going forward). In looking closer at the information put out about that we noticed a couple of issues that we thought worth bringing more attention to.

Making it Easier for Hackers to Exploit Vulnerabilities

One issue that we evaluate on an ongoing basis is how we handle disclosure of vulnerabilities, since there isn’t an obvious balance to be struck. On the one hand, more information can make it easier for hackers to exploit vulnerabilities. On the other, we have often found that vulnerabilities are disclosed with a claim that they have been fixed when they only partially been fixed or not fixed at all. In those instances the more information provided makes it easier to determine that there is still an issue and work to get it fixed, before hackers figure that out and take advantage of it. [Read more]

1 Dec 2017

What Happened With WordPress Plugin Vulnerabilities in November 2017

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during November (and what you have been missing out on if you haven’t signed up yet): [Read more]