Login

Tag Archives: Machine Learning

10 Jun 2024

AI Helps Catch CSRF Vulnerability Being Introduced in to 100,000+ Install WordPress Plugin Modula

Three years ago, a prominent WordPress security provider claimed that increasing numbers of vulnerabilities claimed to be discovered in WordPress plugins was caused not by more vulnerabilities being introduced in to them, but by better detection of old vulnerabilities. And that plugins were therefore getting more secure. It was a problematic claim to make at the time, as among other reasons, their data source simply claims that vulnerabilities have existed in all versions of a plugin. (Their data source also counted a lot of fake claims of vulnerabilities.) It continues to be problematic, as the claimed number of vulnerabilities being discovered keeps increasing.

The reality here is that many developers of WordPress plugins are continuing to introduce new vulnerable code in to their plugins. WordPress could take actions to significantly reduce that, but they are not. One method to limit the damage that those two problems cause is detecting vulnerabilities being introduced in to plugins. One method we have for doing that for our customers is a form of AI, machine learning. We now run all changes being made to plugins used by our customers through a machine learning based system trained to try to identify when vulnerabilities are introduced in those updates. That flagged a recent update to the 100,000+ install plugin Modula. In reviewing the changes made, we found that the developer had failed to include a basic security check in new code, leading to a cross-site request forgery (CSRF) vulnerability. Existing code looks to be similarly vulnerable. [Read more]

6 Jun 2024

400,000+ Install WordPress Plugin Formidable Forms Is Missing More Basic Security Checks

In January, because at least one of our customers was using the 400,000+ install WordPress plugin Formidable Forms, we looked into a changelog entry for the then latest version of the plugin that suggested a cross-site request forgery (CSRF) vulnerability had been fixed. We confirmed that the developer had indeed addressed an instance of CSRF, but we also found that code similar to what was being fixed was still vulnerable to that. It turns out that version had also added yet another instance of the issue. That is striking since protection against CSRF is a really basic element of securing a WordPress plugin, so not something that should be an issue with such a popular plugin. The additional instance has yet another missing basic security check as well.

Last week, a new version of the plugin was released. The update was flagged by our system that uses machine learning, a form of artificial intelligence (AI), to try to detect when vulnerabilities have been fixed, but haven’t been disclosed, in plugins used by our customers. We found a security change being made, which changed the following line that was previously bringing in user input without sanitizing it (which is yet another security issue): [Read more]

29 Feb 2024

AI Helps to Detect Incomplete Security Fix Being Made to 1+ Million Install WordPress Plugin WP File Manager

We often find that attempts to fix vulnerabilities in WordPress plugin have been incomplete or failed entirely, including with vulnerabilities could certainly be targeting. For us to be able to find that, we have to know that a vulnerability was supposed to have been fixed. Developers don’t always disclose that vulnerabilities have been fixed. While that could be defensible in limited circumstances for serious vulnerabilities likely to be exploited, it usually isn’t that situation when it happens. One method we have to determine that vulnerabilities have been attempted to be fixed is using machine learning, a form of artificial intelligence (AI), to try to detect relevant changes being made to the code of plugin in the WordPress Plugin Directory. That monitoring flagged just such a change made yesterday to the 1+ million install plugin WP File Manager. The changelog for the change wouldn’t suggest a security fix as it reads, “Fixed Language issue.”

Looking at the changes made, it isn’t hard to see why it was flagged, as a nonce check, which prevents a type of vulnerability, cross-site request forgery (CSRF), was being added: [Read more]

2 Jan 2024

Machine Learning Helps Catch Authenticated Server-Side Request Forgery (SSRF) Vulnerability Being Introduced in to Spectra

The changes made to version 2.11.0 of the WordPress plugin Spectra got flagged by our machine learning (artificial intelligence (AI)) based system for catching vulnerabilities being introduced in updates to WordPress plugins. Checking the changes made, we immediately found that new code that is insecure was introduced in to the new version. We further confirmed that at least one vulnerability was introduced and there may be more.

As an obvious example of insecurity, this AJAX accessible function was added that doesn’t include a needed capabilities check: [Read more]

14 Dec 2023

Brainstorm Force Removed Security Code and Reintroduced Vulnerability in 1+ Million Install WordPress Plugin

It’s commonly claimed that it helps to determine if a WordPress plugin is secure by looking at the install count and looking if the developer is well known. We have yet to see anyone making that claim present any evidence of a correlation between them. We have seen plenty of instances where major WordPress plugin developers have problems handling security with popular plugins. Take Brainstorm Force. They were recently covered by the WP Tavern, while claiming to have made a six-figure investment in a plugin. So they clearly have the money to handle security properly, but they don’t.

The latest incident with Brainstorm Force involves a vulnerability in a 1+ million install plugin that went unnoticed by them (and others for that matter) for nearly four years, which they fixed without realizing it, it would seem, and then they reintroduced it today. [Read more]

10 Nov 2023

Developer of WP Fastest Cache Obliquely Discloses SQL Injection Vulnerability, Fix Isn’t Generally Available

Yesterday, the developer of the 1+ million install WordPress plugin WP Fastest Cache committed a change to the plugin in the Subversion repository underlying the WordPress Plugin Directory that fixed a SQL injection vulnerability. Unfortunately, they haven’t released a new version of the plugin that makes the fix available to the public. If hackers haven’t already realized what is at issue, it shouldn’t take them long.

The commit message for the update was “Security Enhancements”, which suggests a vulnerability could have been fixed. Our machine learning (artificial intelligence (AI)) based system for catching fix vulnerabilities being fixed in updates to WordPress plugins flagged the change as fixing a vulnerability. Could hackers have a similar system? Who knows, but it isn’t too complicated to create what we have, so we wouldn’t want to be they don’t. [Read more]

23 Aug 2023

AI Helps to Detect Vulnerable Code Being Added to 300,000+ Install WordPress Plugin WPvivid Backup

As we have noted multiple times recently, contrary to claims made by other security providers, WordPress plugins continue to have a steady supply of new vulnerabilities being introduced in to them. That includes widely used plugins. We continue to work to improve our ability to catch those in plugins used by users of our service. One method is using machine learning, a form of artificial intelligence (AI), to try to catch vulnerabilities being introduced in to plugins. As that is something that improves with more data, the longer we are collecting data, the better it should get and the more vulnerabilities we can catch for our customers.

Yesterday, that monitoring flagged an update to the 300,000+ install plugin WPvivid Backup as possibly introducing a vulnerability. Looking over the changes being made, we found that a new function was added to the plugin and made accessible to anyone logged in to WordPress through its AJAX functionality: [Read more]

24 Jul 2023

AI Helps to Detect Expansion of Vulnerability in 1+ Million Install WordPress Plugin

Earlier this year, we noted how a machine learning (artificial intelligence (AI)) based system we have, had helped to detect a vulnerability being introduced in to a 1+ million install WordPress plugin. That came after the system had already help to catch undisclosed attempts to fix vulnerabilities in WordPress plugins, which have failed to fix the vulnerabilities, including in another 1+ million install plugin. In the latest detection of a vulnerability in a 1+ million install plugin by the system, the vulnerability already existed, but the system correctly flagged it as the change being made expanded the impact of the vulnerability. That vulnerability being an authenticated setting change vulnerability in the plugin WP Fastest Cache.

We only run changes being made to plugins being used by our customers and 1+ million install plugins through that system, so if you are not using our service, plugins you use are likely missing out on that security measure. [Read more]

4 May 2023

Reflected Cross-Site Scripting (XSS) Vulnerability in Advanced Custom Fields

To better detect vulnerabilities being fixed in WordPress plugins in the WordPress Plugin Directory, we run all the changes being made to plugins used by our customers and plugins with at least a million installs through a machine learning (artificial intelligence) based system we created. Today, that flagged a change being made to a 2+ million install plugin Advanced Custom Fields as fixing a vulnerability. The changelog of the plugin suggested that might be correct, as the changelog associated with that change says that it “resolves an XSS vulnerability in ACF’s admin pages”, which was credited to Rafie Muhammad

You can’t rely on changelog to provide accurate information, as the developer of this plugin, WP Engine, didn’t disclose it was fixing a vulnerability in another of their plugins recently, and even if the changelog makes the claim, it doesn’t mean that a vulnerability really existed or it has been fixed. As we have found with other changes being flagged by this monitoring system, WordPress plugin developer sometimes fail to disclose they are fixing a vulnerability and also fail to actually fix it. [Read more]

3 Apr 2023

AI Helps to Detect Vulnerability Being Introduced in to a 1+ Million Install WordPress Plugin

The WP Tavern recently ran a story claiming that the security of WordPress plugins is getting better because more vulnerabilities are being discovered:

The report emphasized that the increase in the number of vulnerabilities reported means that ecosystem is becoming more secure as the result of more security issues being found and patched. [Read more]