security alert

Hi Mike,

WP-SpamShield periodically checks the WPScan Vulnerability Database for WordPress exploits, and if the site’s WordPress version has a known vulnerability, then it will alert the admin.

WordPress currently has a 0-Day Exploit that has not been patched.

This is a legit security issue. The link you posted above explains the issue. You can also see these for more info:

WordPress Security Issue in Password Reset Emails to Be Fixed in Future Release — WordPress Tavern

Unpatched WordPress Password Reset Vulnerability Lingers — Threatpost

If a server is configured properly, it won’t be an issue. A properly configured server won’t allow requests with faked Host header requests, and will ensure that $_SERVER['SERVER_NAME'] does not get overwritten by a user-supplied header. However, many servers are not configured properly.

The WordPress Tavern article discusses one mitigation technique using code added to a plugin or your theme’s custom functions.php file. (It’s recommended to use a child theme if you do this.)

The risks can be mitigated in a couple of other ways as well.

One is easily done in your site’s .htaccess file.

If your site’s domain is “www.yourdomain.com”, the code would look like this:

RewriteEngine On
RewriteCond %{HTTP_HOST} !=www.yourdomain.com
RewriteRule ^/?(.*)$ https://www.yourdomain.com/$1 [R=301,L]

This ensures that your site only functions when the correct Host header is used, which would effectively prevent the exploit from being used.

Notes:

• Place this code near the top of your .htaccess file.
• Replace www.yourdomain.com with your site’s preferred domain. (www vs non-www)
• If your site does not use https (SSL/TLS), then replace the https with http.
• If your .htaccess already has RewriteEngine On, then you can skip that line, as it only needs to be included once, before the first RewriteCond/RewriteRule set.

I would encourage you to request that the WordPress Dev team fix the issue as soon as possible.

The next version of WP-SpamShield will include a mitigation patch for this 0-Day so that at least all WP-SpamShield users will be protected.

I hope this info helps. If you need any further help, please submit a support request at the WP-SpamShield Support Page and we’ll be happy to help.

– Scott

Hi Scott

thanks for the reply… this does not however cover the fact that its alarming for all my clients.

Hi Mike,

I can definitely understand that. Please remember that WP-SpamShield is a security plugin, and sometimes security alerts might be alarming. To be honest, a security alert should be alarming. It’s not something you want to ignore. Security issues require action.

The alert shouldn’t show up more than once per week per site, as long as the exploit is unpatched. Once it’s patched and the site is upgraded, it won’t pop up. (As long as there are no known exploits in the new version.)

I would recommend checking your clients’ server configurations, and making sure they are configured properly so as to nullify the exploit. You may want to implement one or more of the mitigation methods mentioned above. Once you’ve ensured that the client servers are no longer vulnerable, then you may want to email each of your clients a short note about the alert explaining that yes there is an unpatched exploit in WordPress, but that you have taken steps to mitigate the issue. Once this is done, let them know that their sites are safe, and that they can safely ignore the alert until WordPress releases a new version with the patch.

If you have any further questions or issues, please use the WP-SpamShield Support Page and we’ll be happy to help.

– Scott

Hi, the sites are all up to date… I have had 6 clients contact me just today about this warning thinking their website is insecure, when its not…

looks like im going to have to uninstall spamshield from all client sites and install an alternative as its causing confusion with my clients.

Hi Mike,

I’m sorry to hear that you feel that way. It seems that you are wanting to shoot the messenger.

I have had 6 clients contact me just today about this warning thinking their website is insecure, when its not…

To be clear, the vulnerability exists in the current version of WordPress, so just because they are up to date, does not mean they are secure. If you have not taken the mitigation steps mentioned above, then your client sites are still insecure.

The warning in WP-SpamShield is 100% accurate. If there is confusion among your clients, that is not up to us to clear that up for you. The plugin is doing its job.

You’re always welcome to choose another anti-spam plugin that has less of a focus on security.

Whatever you choose, just keep in mind that you still need to address the security issue.

– Scott

its just a bit OTT and alarmist…

thanks

Hi Mike,

We would disagree about the alert being “over the top” or “alarmist”. 2016 was a record year for security breaches, and there was a 40% increase in security breaches from 2015 to 2016.

Most security breaches occur from not site owners overlooking the basics.

When a website owner experiences a hack from something like this that is easily preventable, they would not call a security alert like this “alarmist” if it would have helped prevent the hack.

When there is a known security issue, it’s important that it is addressed and patched, no matter how seemingly small. When it comes to security, it’s often the little things that get you.

The alert in the admin simply does these 4 things:

1. “Insecure WordPress version detected.” – Informs the admin that the current version of WordPress is not secure. (It has at least 1 known vulnerability.) This is 100% true…unless mitigation is applied, the site is vulnerable. (“Vulnerability” does not equal “Malware”, so don’t confuse that.)
2. “Your site is running WordPress version 4.7.4, which has 1 known security vulnerabilities.” – States how many known vulnerabilities there are for that version.
3. “You should upgrade WordPress as soon as possible.” – Lets the admin know that they should upgrade as soon as possible. Even though there is no upgrade available yet, this is still true…as soon as there is, they should upgrade as soon as it is possible. (If there is no upgrade available, then manual mitigation methods will be required.)
4. “More Information” – This provides a link to more information about the issue. The admin should read this to fully understand the issue and inform themselves of available options for mitigation.

It’s strictly informative and informational. On the whole, it seems relatively neutral and calm.

I’m not sure how any of that could be considered “alarmist”. If we have the ability to easily detect an issue that could affect user security, we feel the obligation to do so.

Don’t forget that we deal with clients day-in and day-out just like you do. We have a good deal of experience in this area. Our clients are getting the same alerts. It’s all about how you handle it. When clients have a question about something like this, we let them know what we’ve done to mitigate the threat and secure the site. We don’t recommend ignoring issues, or pretending they don’t exists — in fact the more proactive you can be, the better. When you find out about a threat, let them know as soon as possible and that you are mitigating the threat. Then when you have taken the proper steps to mitigate the threat, let them know, and they’ll be fine, and will have confidence that you’re handling things in the future.

If you think about it, we’re providing you an opportunity to look awesome to your clients. ??

– BHC

@redsand Thanks very much for the fix. Worked like a charm!

-Julie

For those of us running multisite and having lots of users or having web design clients, this sec warning is indeed an issue. Especially when we have to spend quite a bit of time finding the source of the message. At least put something on there that says wp spamshield. Wpvulndb is connected with wpscan and sucuri I believe yet I don’t have wpscan installed so I’ve just spent the last few hours trying to figure out where the message is coming from.
A www.ads-software.com moderator states they are trying to figure out where it’s coming from as well.
https://www.ads-software.com/support/topic/wpscanwpvulndb-security-warning-on-fresh-install/#post-9126178
wp spamshield is one of the most trusted plugins and you’re one of the most trusted plugin authors but this was in bad form and almost seems spammy which is quite ironic.
Recommending updating wordpress 4.7.4 is pretty ludicrous as well considering there’s nothing to update to. That wording should not have been used until there was a 4.7.5 in existence.

@juliehowell2017: You’re welcome! ??

@jhnpldng:

Recommending updating wordpress 4.7.4 is pretty ludicrous as well considering there’s nothing to update to.

Please see our partner Blackhawk Cybersecurity’s response above: https://www.ads-software.com/support/topic/security-alert-6/#post-9119258

Note that it says:

“You should upgrade WordPress as soon as possible.” – Lets the admin know that they should upgrade as soon as possible. Even though there is no upgrade available yet, this is still true…as soon as there is, they should upgrade as soon as it is possible. (If there is no upgrade available, then manual mitigation methods will be required.)

If there’s noting to upgrade to, that means the security issue is not patched and users should request that the WordPress development team patch the security issue as soon as possible.

As noted above we will have an update in the next release that mentions it’s coming form WP-SpamShield, and we will add a mitigation for the security issue so WP-SpamShield users will be protected.

Security issues should never be ignored, no matter how seemingly “small”. There are mitigation methods available, as explained above.

Please don’t shoot the messenger.

– Scott

If you really think about it, pride put aside. A warning popping up saying wp is vulnerable and recommending updating to something that doesn’t exist and having a link to a site that’s related to a plugin that I don’t even have, well, that seems spammy.

Sure, wp spamshield is security related as you mention above but it’s always been known to be related to spam in that sense(in fact it’s mentioned three times in the title of the plugin), not wp core vulnerabilities. Also, I presume at this point that all those “security check” links next to all plugins are coming from wp spamshield as well. I’ve been wondering about that. Those also lead to wpvulndb.

A simple one time popup mentioning where all this new stuff on people’s dashboard is coming from would have solved the whole mystery.

“ they should upgrade as soon as it is possible.

“As soon as it’s possible” or as soon as it’s available is what should be on the warning popup. Another thing that could have been done is to have it link to your site and then have a link on your site that leads to wpvulndb.

Also, the popup seems to be reoccurring for me. Dismiss it and it comes back.

WP SpamShield has always been an awesome plugin and it is appreciated by me and many many others. One of the things that’s made it that way it’s unobtrusiveness.

Thanks for all the hard work you put into WP SPamShield. It is appreciated.

We definitely appreciate the feedback. I think the changes in the upcoming version will be helpful to you, and satisfy those requests. We’ll note the the security alert is provided by WP-SpamShield, and that data is provided by the WPScan Vulnerability Database. (Which we are not affiliated with.) It’s an outstanding resource though (the de-facto standard for WP), and all users should regularly check it for vulnerabilities in their plugins and WordPress core.

“As soon as it’s possible” or as soon as it’s available is what should be on the warning popup.

Agreed. And that’s happening in the next release. Additionally, the warning will only be served to super-admins, which means network admins for multisite, and admins for single-site installs.

Additionally the plugin will check if the current site is on the most recent version of WP, and adjust the message accordingly.

Sure, wp spamshield is security related as you mention above but it’s always been known to be related to spam in that sense

It’s important to remember that spam and security are tightly integrated. Security has always been one of our core specialties. Anti-spam plugins that ignore security are deficient.

Thanks for all the hard work you put into WP SPamShield. It is appreciated.

You are very welcome. I realize that some of the things we do in the plugin may not always be understood, but you can be assured that everything we do is in the user’s best interest. We are dedicated to that, and will always work to improve.

First of all, I appreciate the alert – as a site manager for multiple WP installations, I am happy to know of potential problems, no matter what the source. However, I also was confused at first and mistakenly believed that the source of the alert was from a different plugin. (I used Wordfence on all my sites, so it was natural for me to assume that an alert about a vulnerability would have been generated by that plugin rather than WP-Spamshield).

So here are several suggestions as to how to avoid confusion (and complaints) in the future)

1.(Easy) Add text to the alert so that it is clear that it is generated by SpamShield. That will eliminate confusion as to the source of any alerts.

2. An option in settings to disable dashboard display of security alerts, and/or to restrict display to site administrators only (if this is not already the case). That will give site administrators the ability to determine who sees alerts.

3. Set up the alert feature so that it checks for the latest version of WP, and suppresses the alert if the site is already updated. Yes, I personally am happy to know about this obscure potential exploit that WordPress apparently does not feel is important enough to patch … but there is nothing that I can do about it other than keep my sites updated to the latest version, so no value in showing the alert in sites that are already running the newest WordPress release.

I do appreciate your intent to add a mitigation to SpamShield to protect against this exploit – but I think you need to keep in mind that you have a very large user base which includes many site owners or user who are technically unsophisticated and/or who are not native English speakers. So best to keep things simple. It is one thing to remind users to upgrade their sites because of a security concern, quite another when no upgrade has been issued.

Thanks for the feedback. All of those are good points, and in the works.

1 & 2 will be in place in the next version.

3 will be in place in the next version. It currently is limited to admins, but with multisite, there is a higher level of admin – network administrator, aka superadmin. A superadmin on a single-site install is just an admin. In the next version, it will be limited to superadmins. For single-site installs nothing will be different, but on multisite, it will only be seen by the network admin, as they are the only ones with the ability to upgrade or mitigate issues. There actually is something that you can do to mitigate the threat using the .htaccess method. It’s quite easy. See my response above for implementation details.

Keep in mind that with almost every exploit there is at least one method to mitigate threats, so even if there isn’t an update (which is rare), it can usually be secured fairly easily. With the updates being adding in the next release, it should clarify things a bit. Users who don’t know how to mitigate threats themselves will always be welcome to contact us for support, and we’re happy to help.

We agree with your points and those are all considered.

I appreciate your efforts to suggest a mitigation to users, but I have determined that my sites are not subject to this vulnerability because of hosting configuration (so no fix needed) and I do not want to modify htaccess files unnecessarily on multiple sites.

In any case, my only point is that WordPress has not patched this and apparently does not see a patch as a high priority. By “there is nothing I can do” I simply meant that I can’t influence when and if WordPress will ever patch this vulnerability — and given that my sites are not vulnerable, there is no need for me to make configuration changes.

Here’s a good article that sums up why most security experts seem unconcerned:
https://www.securitynewspaper.com/2017/05/05/wordpress-zero-day-expose-password-reset-emails/

These complex exploitation scenarios are most likely the main reason why the WordPress team has not prioritized patching this issue until now. The same opinion is shared by security experts from Sucuri, a vendor of web-based security products, recently acquired by GoDaddy.

“The vulnerability exists, but is not as critical as advertised for several reasons,” said Sucuri vulnerability researcher Marc Montpas. “The whole attack relies on the fact that the victim’s email is not accessible at the time the attack is occurring, which greatly reduces the chance of a successful attack.”

His colleague, Denis Sinegubko, also shared his thoughts on the issue. “After a brief reading and assuming the attack works, it has limited impact as it requires an individual site to be accessible by IP address, so will not work for most sites on shared servers. Only for poorly configured dedicated servers.”

(I noted in bold the reason it would not apply to my sites, which are in shared or virtual hosted environments).