Login

Tag Archives: NinTechNet

14 Dec 2023

NinTechNet’s Website Security Scanner Isn’t a Good Option for Testing the Security Provided by WordPress Firewall Plugins

When it comes to testing the protection offered by WordPress security plugins, we seem to be alone in doing that, which isn’t good. We had someone contact us not that long ago who was complaining about our the accuracy of our testing results and vaguely citing results from another testing solution as producing different results. We offered to publish those results, but they claimed they couldn’t for an unclear reason. We also asked them some basic questions to try to understand what the testing actually involved. They didn’t appear to understand the questions, but they then cited another source for doing this type of testing, a web scanner provided by the developer of the NinjaFirewall plugin, NinTechNet. We were curious to see what that offered. Here is how that is described:

The Website Security Scanner is a tool you can use to test and rate your website security. It is not a hacking tool: it won’t hack your site and you can’t use it to hack someone else’s website either.
Whether you use a security application to protect your site (a web application firewall, a security plugin or extension) and need to know how efficient it is, or just want to test your own security rules, the Website Security Scanner is exactly what you need. [Read more]

2 Jun 2023

WooCommerce Security Issue Plays Critical Role in Exploiting Serious Vulnerabilities in Other Plugins

In March, the details of a vulnerability that had been fixed in a WordPress plugin that extends the functionality of the plugin WooCommerce were disclosed. The exploitabilty of it should have been limited as it required having access to a value that is only included in WordPress admin pages. WooCommerce claims to limit access to that to admins. Documentation from the developer states that “By default, WooCommerce blocks non-admin users from entering WP Admin, or seeing the WP Admin bar.” Despite that the vulnerability was widely exploited.

The explanation for how it could be widely exploited despite that limitation is that the discoverer of the vulnerability disclosed a bypass for that, “WooCommerce customers can access the back-end by adding wc-ajax=1 to the query, e.g., https://example.com/wp-admin/?wc-ajax=1”. The discloser, NinTechNet, provided no explanation of why they publicized that, nor made any mention of contacting the developer about that bypass. It isn’t as if they didn’t know that they were disclosing something that isn’t supposed to be possible, as we had brought that up to them in a situation involving a different vulnerability a couple of weeks before. [Read more]

28 Nov 2022

Patchstack’s Early Alert For WordPress Plugin Vulnerability is Actually Public Info Copied From Competitor

There is often a wide gap between the claims of WordPress security providers and reality. That has often been the case with Patchstack going back to its precursors, WebARX and ThreatPress.

This week Patchstack started promoting that it is providing “early alerts and protection” for vulnerabilities to their customers: [Read more]

3 Nov 2022

Security Issue Remains in 200,000+ Install WordPress Plugin Over Two Years After Vulnerabilities Were “Fixed”

In August 2020, NinTechNet, the developers of the WordPress plugin NinjaFirewall, disclosed vulnerabilities that had been in the plugin CMP – Coming Soon & Maintenance Plugin. That plugin had 100,000+ installs at the time and is now up to 200,000+ installs. While NinTechNet stated the vulnerabilities were fixed at the time, while reviewing code in the plugin related to that recently, as at least one of our customers now uses the plugin, we found that there still is a security issue that hasn’t been resolved.

NinTechNet’s post described part of the problem with the plugin this way: [Read more]

9 Sep 2019

NinTechnet and WordPress Plugin Directory Team Fail to Make Sure Vulnerability in Search Exclude Was Actually Fixed

Last week we disclosed a settings change vulnerability in the plugin Search Exclude after it had been closed on the WordPress Plugin Directory and noted that wasn’t the only probable issue:

There also appear to be other security issues with the plugin. [Read more]

26 Aug 2019

Wordfence Keeps Hiding That Other Security Companies Are Actually Doing the Work to Keep Ahead of Hackers

On multiple occasions the team behind the Wordfence Security plugin have failed to credit us when discussing vulnerabilities we discovered. We are not alone in that it turns out and unfortunately journalists will cover them and not give any credit to other security companies that are actually doing the work to keep ahead hackers (which is how Wordfence falsely markets their Wordfence Premium service of doing).

Here is part of an article the Threatpost (which is itself secretly owned by a security company) from Friday that showed up in a Google alert we have: [Read more]

25 Jun 2019

Other Vulnerability Data Sources Miss That a Reflected XSS Vulnerability in Custom 404 Pro Hasn’t Been Fixed

Being warned about vulnerabilities in WordPress plugins you use isn’t much good if you are being told that vulnerabilities have been fixed when it hasn’t. That is often a problem with data sources on vulnerabilities in WordPress plugins other than the one what underlies our service.

Yesterday an update to the plugin Custom 404 Pro had the changelog entry “Fix Reflected XSS”. In looking to see if the discoverer of that had put a report we found multiple places reporting that a vulnerability had been fixed. [Read more]

15 May 2019

Information Disclosure Vulnerability in FV Player (FV Flowplayer Video Player)

Earlier today we noted a security company putting out inaccurate information on vulnerabilities in a WordPress plugin. That isn’t uncommon, as while looking into who might have discovered a recent vulnerability we found NinTechNet suggesting updating the plugin, FV Player (FV Flowplayer Video Player), to version 7.3.13.727:

WordPress “FV Flowplayer Video Player” plugin (40,000+ active installations) fixed XSS vulnerability. Update to v7.3.13.727. [Read more]

15 Dec 2016

When a Security Company Does the Right Thing and The WordPress Plugin Directory Drops the Ball

Due to how bad the security industry is we rarely have the ability to point to a situation where the a security company has done the right thing, but today we have one to discuss.

Yesterday, we discussed how security companies rarely do one of the three basic components of a proper hack cleanup, which is to try to determine how the website was hacked. As we mentioned in that post, in instances where that isn’t done we are frequently brought in to re-clean the websites after they get hacked again. The problem of not determining how the websites are hacked doesn’t always just impact that website, if the vulnerability exploited exists in the current version of software on the website then spotting an early exploitation has the possibility of limiting the amount of additional websites that get hacked due to it. That possibility occurred with an arbitrary file upload vulnerability that exists in the WordPress plugin Delete All Comments. On November 20 the security company NinTechNet was looking into a hacked website and found the website was hacked due to that vulnerability. It wasn’t all that hard to spot with the combination of the logging and the code in the plugin, but since so many security companies don’t even try to determine how the websites they are cleaning up have  been hacked, something like that can easily get missed. [Read more]