Tag Archives: WooCommerce – Plugin Vulnerabilities

17 Sep 2024

Awesome Motive’s 3+ Million Install All in One SEO Plugin Is Tracking Usage Without Consent

The WordPress Plugin Review Team is currently considering restrictions on plugins from automatically installing additional plugins when setting up a plugin. A couple of the major offenders, when it comes to doing that, have chimed in. Unsurprisingly, they are suggesting not stopping that from happening. One of those was the CEO of the not so awesome Awesome Motive. Their automatic installation of additional plugins causes problems for users of Awesome Motive plugins, as well as introducing additional security risk to the websites, as their plugins have had plenty of security vulnerabilities over the years. While looking in to how those players are currently handling that automatic installation, we noticed that a couple of multi-million installs plugins from them are tracking usage without users choosing to opt in, and in the case Awesome Motive’s 3+ Million Install All in One SEO, without disclosing that usage tracking is being enabled.

Here is how the guidelines for the Plugin Directory explain how usage tracking should be handled: [Read more]

13 Aug 2024

WordPress Coding Standards is Failing to Warn About Missing Sanitization and Requiring Unnecessary Sanitization

One of the things that our new Plugin Security Scorecard uses to grade the security of WordPress plugins is a subset of the checks from our Plugin Security Checker. The subset is intended to be things that are always a security issue, which should be addressed. While the full set of checks will flag things that could be secure, but often are not secure and need to be checked. That subset involves checking for things you would expect to be issues with certain types of plugins and from certain developers. But the actual results of plugins checked so far tell a different story.

The 5+ million install plugin Wordfence Security has been found to be using “[t]he function filter_input() is used without a filter, so it doesn’t do any filtering.” Similarly, the 100,000+ install Jetpack Protect plugin is found to be using “[t]he function filter_var() is used without a filter, so it doesn’t do any filtering.” That plugin is from Automattic, the company so closely associated with WordPress that it now is not uncommon for WordPress to be seen as an arm of the company. That isn’t the only plugin from Automattic with issues. With the 4+ million install Jetpack and 7+ million install WooCommerce have been found to have both the previously mentioned issues. The threat posed by that would depend on what is done after the filter-less filtering is done, but the filter-less filtering shouldn’t be happening even if there isn’t a larger issue. [Read more]

25 Jun 2024

WooCommerce is Exposing Private Product Information Through Store API

While looking into something related to the now discontinued WooCommerce Blocks plugin from Automattic, we noticed what appeared to be a vulnerability in that. That plugin has long been incorporated into the main WooCommerce plugin and we confirmed the vulnerability exists in the latest version of that plugin. The vulnerability exposes information that isn’t meant to be public about WooCommerce products through the WooCommerce Store API. There are possibly more issues related to that API, as we have only looked into this specific issue so far.

According to the Store API Guiding principles, private data shouldn’t be provided through the API (emphasis theirs): “Store data such as settings (for example, store currency) is permitted in responses, but private or sensitive data must be avoided.” Despite that statement, it doesn’t appear that some basic security reviewing has been done on the code. And it hasn’t been done in years, as the vulnerable code dates back four years. More thoroughly reviewing that needs to be done by Automattic. [Read more]

2 May 2024

Automattic’s WPScan Falsely Claimed that Automattic’s WooCommerce Contained Vulnerability

In January, we looked into a mess caused by the WordPress security provider Wordfence falsely claiming that the plugin WooCommerce had contained a vulnerability. That was caused in part by Wordfence failing to do basic vetting, which they claim to do. Another provider, Patchstack had similarly false claimed that WooCommerce contained that vulnerability. Belatedly, WPScan, which, like WooCommerce, is owned by Automattic, made the same claim. They provided a proof of concept that was supposed to show the exploitation:

1 Mar 2024

How Our Customers Helped Make WordPress Plugins More Secure, Week of March 1

Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better understand what is going on and how signing up for our service can help to expand that work.

Vulnerability Fixed in Finale Lite

A couple of weeks ago we noted that a vulnerability in a plugin being targeted by a hacker hadn’t been fully fixed. We also found that another plugin from the same developer was not fixed at all. This week that second plugin, Finale Lite, was fixed enough to stop exploitation. It still isn’t fully secured, though. [Read more]

28 Feb 2024

WooCommerce Vulnerability Listed as Being Fixed in Upcoming Release Was Already Fixed

In January, multiple WordPress security providers falsely claimed that a vulnerability had been fixed in the WooCommerce plugin. The situation was made more problematic because one of them said it was fixed in a version of WooCommerce that was newer than the version currently available. This situation was partially caused by the developers of WooCommerce having a changelog entry for security improvement included in the changelog for the wrong version of the plugin. That has happened again, only this time there really is a vulnerability, though a minor one, being fixed.

Yesterday, a beta version of WooCommerce 8.7.0 was submitted to the WordPress Plugin Directory. The changelog added for it suggests that will be released on March 13. One of the entries was flagged by our systems as possibly referring to a fix for a vulnerability: [Read more]

16 Jan 2024

Wordfence Didn’t Make Sure Vulnerability in WooCommerce Had Been Fixed (Or That It Even Existed)

Late last week, Wordfence created a mess by claiming there was an unfixed vulnerability in WooCommerce. What that situation showed is they are not doing the work that people clearly believe they are doing. That includes not checking if vulnerabilities have actually been fixed or if they even existed, before widely making claims about supposed vulnerabilities. We will get in to more detail about that in a few moments, but first we will take a look at a couple of other recent examples, which show that wasn’t a one-off fluke.

We should note at the outset that the CEO of Wordfence, Mark Maunder, recently claimed their “data is impeccable” when we brought up the well-known problems with it. [Read more]

11 Dec 2023

Is Wordfence Care a Good Option For WooCommerce Websites?

We were recently contacted by someone asking if we provided an alternative for the WordPress security service Wordfence Care for a WooCommerce website. Specifically, we asked if we provide something that would include a firewall, the setup of the firewall, and help in case there is a security problem on the website. For the first two things they were looking for, our own Plugin Vulnerabilities Firewall is a firewall and you can easily configure it yourself, as we designed it to not need much configuration. If any customer does need help configuring it, we can provide help as well. The last piece of that seems rather problematic to offer, but it turns out that part of that, which shouldn’t be hard to offer, is for Wordfence.

A security problem with a WooCommerce website could involve a lot of different things. One provider being able to deal with that would require a wide-range of expertise. It seems unlikely that any provider would. It’s very different to say deal with an unfixed vulnerability in a WordPress plugin and deal with a server-level security issue, or deal with a security issue involving a payment provider. What Wordfence should be able to handle is dealing properly with hacked websites. But that hasn’t been the case. Take one person who had Wordfence Care, but said that Wordfence was not figuring out how a website was being hacked and the issue continued on. Even with the even more expensive Wordfence Response and paying thousands of dollars, someone couldn’t get them to address a problem. [Read more]

9 Oct 2023

Another Hacker Targeted WordPress Plugin Still in Plugin Directory Despite Publicly Disclosed Unfixed Exploitable Vulnerability

On Friday, we saw a hacker probing for usage of the WordPress plugin Dropshipping & Affiliation with Amazon across our websites and other websites. As part of keeping track of vulnerabilities in WordPress plugins for our service, we needed to try to figure out what explained that interest. What we found was alarming, though unsurprising. Three days before that the WordPress security provider Patchstack had vaguely claimed the latest version of the plugin contained a fairly serious vulnerability. And yet as of writing, the vulnerable plugin still is available in the WordPress Plugin Directory. So something clearly has gone wrong here. And not for the first time, even very recently.

As with another recent instance of an unfixed vulnerability likely being targeted, it wouldn’t be hard for WordPress to release a fix to stop exploitation. That is something we have offered for years to help them with. They haven’t taken up our offer of help or dealt with it on their own. [Read more]

14 Sep 2023

Automattic Reintroduced Security Vulnerability Into WooCommerce, Their WPScan Missed That

Automattic is the company from the head of WordPress, Matt Mullenweg. Among its operations, it sells access to (often inaccurate) information on vulnerabilities in WordPress plugins through WPScan. Earlier this week WPScan added an entry for a claimed vulnerability in Automattic’s WooCommerce plugin, which has 5+ million installs according to WordPress’ data. They claimed the vulnerability had been fixed in version 7.0.1: