Analysis – Page 9

Wordfence’s Solution to Their Firewall Incorrectly Blocking Legitimate Request is to Disable Needed Protection

Posted on 14 March 2023 by

In our testing, the most popular security-only WordPress security plugin Wordfence Security fails to provide as much protection as other much less popular security plugins. Making the situation worse is that it introduces a significant performance penalty over security plugins Continue reading Wordfence’s Solution to Their Firewall Incorrectly Blocking Legitimate Request is to Disable Needed Protection→

WordPress’ Manual Review Fails to Notice Security Provider’s Plugin Is Both Completely Broken and Is Fundamentally Insecure

Posted on 9 March 2023 by

When someone goes to submit a plugin to the WordPress Plugin Directory, they are told it will go through a manual review before it is allowed in: After your plugin is manually reviewed, it will either be approved or you Continue reading WordPress’ Manual Review Fails to Notice Security Provider’s Plugin Is Both Completely Broken and Is Fundamentally Insecure→

You Can’t Trust WordPress Plugin Developers’ Claims That Their Plugins Are Free of Security Vulnerabilities

Posted on 7 March 2023 by

In December, we wrote about how to check if WordPress plugins are secure. One of the things we mentioned that you can’t rely on is claims made by plugin developers about their handling of security. As a recent issue with Continue reading You Can’t Trust WordPress Plugin Developers’ Claims That Their Plugins Are Free of Security Vulnerabilities→

You Need to Make Sure Proof of Concepts for Vulnerabilities in WordPress Plugins You Use Have Been Tested

Posted on 28 February 2023 by

Are you relying on a security provider to warn about vulnerabilities in WordPress plugins you use? Are you not testing out the proof of concepts for those vulnerabilities because the security provider claims they are verifying things for you or Continue reading You Need to Make Sure Proof of Concepts for Vulnerabilities in WordPress Plugins You Use Have Been Tested→

Bleeping Computer’s Bill Toulas Spreads Common Misconception About Impact of SQL Injection Vulnerabilities in WordPress Plugins

Posted on 27 February 2023 by

We often see confusion over the potential impact of one type of vulnerability, SQL injection, that can exist in WordPress plugins. The confusion seems to stem in part from the name of the vulnerability, though that doesn’t explain it entirely. Continue reading Bleeping Computer’s Bill Toulas Spreads Common Misconception About Impact of SQL Injection Vulnerabilities in WordPress Plugins→

Hacker Looking for Usage of 10Web WordPress Plugin That Contains Type of Vulnerability That Hackers Target

Posted on 14 February 2023 by

In June 2021, the WordPress security provider Patchstack announced that they were partnering with WordPress plugin provider and web host 10Web. Patchtack claimed that they and 10Web were working together to “help strengthen the WordPress ecosystem.” It was a curious Continue reading Hacker Looking for Usage of 10Web WordPress Plugin That Contains Type of Vulnerability That Hackers Target→

AI Can Help to Catch Vulnerabilities in WordPress Plugins, but It Doesn’t Change Developers Bad Handling of Them

Posted on 10 February 2023 by

A week ago, the developers of the 200,000+ install WordPress plugin Fluent Forms tried to address a security issue in the plugin, but failed, leaving a vulnerability in the plugin. You wouldn’t know about that from various WordPress plugin vulnerability Continue reading AI Can Help to Catch Vulnerabilities in WordPress Plugins, but It Doesn’t Change Developers Bad Handling of Them→

Automattic’s WPScan Doesn’t Appear to Have Learned From Claiming Exploited Vulnerability Had Already Been Fixed

Posted on 7 February 2023 by

Automattic’s WPScan WordPress security service makes a lot of impressive sounding claims on their homepage, including being “Enterprise-strength” protection: Enterprise-strength WordPress protection for everyone [Read more] ShareTweetSharePostSharePin It!

GoDaddy/Sucuri’s FUD About New “Massive Campaign” Claimed to Involve Hacked WordPress Websites

Posted on 25 January 2023 by

The headline of the most recent post on the blog of GoDaddy’s security service, Sucuri, blares “Massive Campaign Uses Hacked WordPress Sites as Platform for Black Hat Ad Network”, which was written by Denis Sinegubko. How massive? Not massive at Continue reading GoDaddy/Sucuri’s FUD About New “Massive Campaign” Claimed to Involve Hacked WordPress Websites→

Cutting Through Wordfence’s FUD on Millions of Attack Attempts Against WordPress Websites

Posted on 19 January 2023 by

It isn’t uncommon to see comments online from people scared after a WordPress security solution, say, the Wordfence Security plugin, has alerted them that the solution has blocked a large amount of hacking attempts. The best advice as to what Continue reading Cutting Through Wordfence’s FUD on Millions of Attack Attempts Against WordPress Websites→

“New” Linux Malware Attempting to Exploit WordPress Plugin Vulnerabilities is Actually Years Old

Posted on 10 January 2023 by

Recently the security news outlet Bleeping Computer ran a story from Bill Toulas with the headline “New Linux malware uses 30 plugin exploits to backdoor WordPress sites”, but the only cited source for the story, Doctor Web stated that it Continue reading “New” Linux Malware Attempting to Exploit WordPress Plugin Vulnerabilities is Actually Years Old→

CVE’s Process for Disputing a Claimed Vulnerability is Currently Broken

Posted on 9 January 2023 by

Security journalists, for reasons that are not entirely clear, treat issuance of a CVE identifier for a claimed security vulnerability as a sign of significance and legitimacy. Take the start of an Ars Technica story from several months ago: It Continue reading CVE’s Process for Disputing a Claimed Vulnerability is Currently Broken→

Wordfence Isn’t Telling the Truth About the Sourcing and Reliability of Their Plugin Vulnerability Data

Posted on 6 January 2023 by

As we have documented multiple times before, Wordfence is providing highly inaccurate information on vulnerabilities in WordPress plugins. We keep running into more examples of that. Earlier this week someone contacted the developer of a plugin about Wordfence’s claim that Continue reading Wordfence Isn’t Telling the Truth About the Sourcing and Reliability of Their Plugin Vulnerability Data→

Providers of WordPress Plugin Vulnerability Data Not Actually Verifying if Vulnerabilities Are Fixed

Posted on 5 January 2023 by

Recently, three ostensibly competing data providers for information on vulnerabilities in WordPress plugins all claimed that a vulnerability had been fixed in a certain version of the plugin Super Socializer. Here was WPScan, the original source for the claim: [Read Continue reading Providers of WordPress Plugin Vulnerability Data Not Actually Verifying if Vulnerabilities Are Fixed→

Two Weeks Later WordPress Hasn’t Taken Action With WordPress Plugin That Loaded Malicious JavaScript

Posted on 4 January 2023 by

Anyone who has spent much time trying to use WordPress’ support forum and the connected plugin review system knows that the moderators of that often get in the way and causing unnecessary problems (as well other troubling behavior, including deleting Continue reading Two Weeks Later WordPress Hasn’t Taken Action With WordPress Plugin That Loaded Malicious JavaScript→

Patchstack’s Unlisted Zero-Days Are Actually Vulnerabilities Already Covered by Competitors

Posted on 23 December 2022 by

Yesterday, we published a post about Patchstack’s false claim to know about hundreds of undisclosed zero-days, which, if true, would be a very serious issue. Instead, the “zero-days” are “Vulnerabilities reported to us which we are still processing and will Continue reading Patchstack’s Unlisted Zero-Days Are Actually Vulnerabilities Already Covered by Competitors→

Patchstack Doesn’t Know About Hundreds of Undisclosed Zero-Days

Posted on 22 December 2022 by

Recently, we noted that the WordPress security provider Patchstack was marketing their service with a misleading claim to be providing “early alerts and protection”, where in one instance, they were only aware of a vulnerability two weeks after it was Continue reading Patchstack Doesn’t Know About Hundreds of Undisclosed Zero-Days→

Wordfence Intelligence Community Edition Data Continues to Be a Mess

Posted on 21 December 2022 by

If data providers for WordPress plugin vulnerability information want to keep up with vulnerabilities, one important place to monitor is the WordPress Support Forum. Today, doing that allowed us to warn our customers of a plugin with 8,000+ installs that Continue reading Wordfence Intelligence Community Edition Data Continues to Be a Mess→

Matt Mullenweg’s WP Tavern Didn’t Allow Question on Significant State of the Word Related Security Issue

Posted on 19 December 2022 by

The heads of tech companies controlling the online conversation has been a big issue recently based on Elon Musk’s takeover of Twitter and subsequent actions. WordPress has a similar issue that doesn’t get much attention, probably explained, in part, because Continue reading Matt Mullenweg’s WP Tavern Didn’t Allow Question on Significant State of the Word Related Security Issue→

WPScan and Wordfence Intelligence Community Edition Providing Misleading Data on When Information Was Published

Posted on 15 December 2022 by

Trust is an important part of security, so it probably isn’t surprising that security is in such bad shape and that at the same time, security companies are so obviously dishonest so often. That is something we frequently run across Continue reading WPScan and Wordfence Intelligence Community Edition Providing Misleading Data on When Information Was Published→