Login

Tag Archives: WP Engine

13 Nov 2024

WP Engine Failed to Vet Security of Plugin Acquired This Year or Fix Vulnerability in It Once It Was Reported to Them

When it comes to whether Matt Mullenweg or WP Engine are the bad guys in the recent, the reality is that they both have played a decidedly harmful role in the security of WordPress plugins. Sometimes that comes from them working together. Last year, we noted that WP Engine was falsely claiming that a popular WordPress plugin contained a security vulnerabilities. That was caused by them using a known unreliable source of vulnerabilities, WPScan. Incredibly, WP Engine’s VP of security admitted earlier in the year they haven’t done due diligence with WPScan’s data:

We know that there are other options out there, but given the sense of completeness and alerts for ALL relevant plugins, we never had a need to go crosscheck WPScan against anyone else. [Read more]

1 Nov 2024

WP Engine’s Poor Security Partially Explained by CTO Who Lacks Basic Security Knowledge

In WP Engine’s lawsuit against Automattic and Matt Mullenweg, examples of WP Engine using the WordPress trademark over the years also show that they have also made a big emphasis on handling security well. It hasn’t matched the actual results. In late 2015, they suffered a breach that required the “passwords for the WP Engine user portal, SFTP, the original WP-Admin account, password-protected installs and transferable installs, and the WordPress database” to have to be reset. Their explanation for the breach was that it came through the provider they outsourced the hosting of websites to. It was the same provider that had led to a more limited breach two years before. Either they could safely rely on outsourced infrastructure, but failed to properly vet it, or they couldn’t rely on that. Either way, they were promising security they were not delivering.

Their poor handling of security has continued in various ways in to the present time. It was just in May we found that they had failed to actually fix a vulnerability in one of their plugins. Compounding that problem, they were providing their customers warnings about vulnerabilities in WordPress plugins known to not be reliable information. Last year, their source had promoted WP Engine’s use of the source with a quote from WP Engine’s VP of Security admitting he hadn’t done basic due diligence. If he had done basic due diligence, he would have known the data provider isn’t reliable. Amazingly, that person is still employed despite publicly admitting to not acting professionally in a way that has put WP Engine’s customers at unnecessary risk. [Read more]

21 Oct 2024

Automattic Deleted Blog Post Praising WP Engine, Where WP Engine’s VP of Security Admitted to Not Doing Basic Due Diligence

One question that has come up a lot recently when the situation with Matt Mullenweg and WP Engine, is who is the bad guy? Considering that Matt Mullenweg is engaged in a now very public extortion campaign against WP Engine, they are clearly a victim. But that doesn’t mean they are good guys. Sometimes they are the bad guys alongside Matt Mulleweg’s company Automattic.

In July of last year, we covered a situation where WP Engine was falsely claiming that a popular WordPress plugin contained a vulnerability. (Because everything is related, the developer of that plugin has become another victim of the current mess.) The cause of the false claim was that WP Engine didn’t actually vet vulnerability claims. Instead, they used a source well-known to not be a reliable source, WPScan. WPScan is owned by Automattic. [Read more]

24 Sep 2024

Automattic’s Matt Mullenweg Basically Admitted on Reddit That He Was Trying to Extort WP Engine

After days of WordPress and Automattic head Matt Mullenweg attacking a competitor of Automattic, WP Engine, there was a response from WP Engine as to what was going on here. That came in the form of a cease and desist letter they released yesterday. In that, the legal counsel for WP Engine, Emanuel Quinn, made this stunning set of claims in the second paragraph of their letter:

Stunningly, Automattic’s CEO Matthew Mullenweg threatened that if WP Engine did not agree to pay Automattic – his for-profit entity – a very large sum of money before his September 20th keynote address at the WordCamp US Convention, he was going to embark on a self-described “scorched earth nuclear approach” toward WP Engine within the WordPress community and beyond. When his outrageous financial demands were not met, Mr. Mullenweg carried out his threats by making repeated false claims disparaging WP Engine to its employees, its customers, and the world. Mr. Mullenweg has carried out this wrongful campaign against WP Engine in multiple outlets, including via his keynote address, across several public platforms like X, YouTube, and even on the WordPress.org site, and through the WordPress Admin panel for all WordPress users, including directly targeting WP Engine customers in their own private WordPress instances used to run their online businesses. [Read more]

10 Jul 2024

WordPress Plugin Developers Can Use security.txt Files to Aid in Getting Security Issues Reported to Them

In May, we found that numerous security providers had failed to catch that a vulnerability in the 100,000+ install WordPress plugin Genesis Block hadn’t been fully fixed. It was a good reminder of the importance of relying on vulnerability data that is actually vetted, which isn’t true for most sources. At the time, we had tried to contact the developer to let them know about the failure to fully fix this, but they didn’t provide a contact method to do that. We did find that the parent company of the developer, WP Engine, has a security page, but that doesn’t provide a contact method for non-customers to contact them. It directs customers to contact them through a general contact form. Both of those things are odd. It also mentioned a third-party vulnerability bug bounty program, which wouldn’t be relevant to address the issue we were trying to reach them about (and wouldn’t get us in touch with them).

The vulnerability has remained in the plugin since then. The plugin had remained in the WordPress Plugin Directory despite the plugin being publicly known to be vulnerable. That is, until two days ago, when it was closed on there: [Read more]

13 May 2024

Numerous Security Providers Fail to Catch That WP Engine Didn’t Fix Vulnerability in 100,000+ Install WordPress Plugin

When it comes to the very common occurrence of vulnerabilities in WordPress plugins failing to really be fixed, many providers are often involved in that failure. That is the case with a recently disclosed vulnerability in the 100,000+ install plugin Genesis Blocks.

That plugin comes from WP Engine, which markets itself as having a dedicated security team, though, one that keeps “your website vulnerabilities up to date” instead of fixing them: [Read more]

26 Jul 2023

WP Engine Sending Out Emails Falsely Claiming Popular WordPress Plugins Contain Unfixed Vulnerabilities

Earlier today, we covered how Patchstack and their partners have been falsely claiming that WordPress plugins contain vulnerabilities caused by usage of an outdated version of the Freemius library. They have been joined in that by WP Engine and Automattic owned WPScan.

Here is an example of that email sent out for the 100,000+ install plugin Pods: [Read more]

19 Apr 2023

WP Engine Didn’t Disclose They Were Fixing Vulnerability in 200,000+ Install WordPress Plugin

Recently, the WordPress security provider Patchstack claimed that a cross-site request forgery (CSRF) vulnerability had been fixed in the 200,000+ install WordPress plugin PHP Compatibility Checker. Patchstack has a track record of providing inaccurate information on vulnerabilities in WordPress plugins, so you can’t take them at their word that there really was a vulnerability or that it has been fixed. Unfortunately, they also don’t provide basic information to double check their claims. In this case, they provide this description of what CSRF as the “details” of the vulnerability:

 Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress PHP Compatibility Checker Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 1.6.0. [Read more]

5 Apr 2023

WP Engine’s New WordPress Plugin Contains CSRF Vulnerability

From what we have seen, WP Engine has a reputation for having a good handle on security, despite having a bad track record going back many years. In line with that track record, we found that the WordPress plugin they released on the WordPress Plugin Directory last week, Pattern Manager, lacks a basic security check leading to a minor vulnerability.

In the file /wp-modules/editor/model.php, the plugin registers for the function redirect_pattern_actions() to be accessible to even those not logged in to WordPress: [Read more]