Wordfence didn’t alert me to problem with fast secure contact form

Hi aenea,
For sure Wordfence will alert you when a plugin is removed from WordPress Plugins repository, I think it was just a matter of time will this happens.

We have published a blog post talking about similar behavior from other different plugins, but I’m not sure if this specific plugin you mentioned is involved or not.

Thanks.

I just discovered this security issue today, 10 days after aenea’s note. No alerts from Wordfence that I have, in production, 2 plugins that are known-to-be-compromised and were removed from the WP repository: “Fast Secure Contact Form” & “SI Captcha Anti-Spam”

I’m a premium subscriber, and the Wordfence team has always impressed me. So wanted to alert that this functionality is not working as intended/described above, and give the opportunity to troubleshoot further. I have to believe that “just a matter of time” is not a typical WF design spec.

More info here: https://www.fastsecurecontactform.com … similar situation as the recent investigative expose that was posted on the WF blog (great job!).

That’s odd. I got the alert that Fast Secure Contact Form needed an update on 23rd Sept. I discovered the real problem (as described in my original post) and did the update on 30th Sept. Then, the next day, I got a critical alert from Wordfence saying that the Fast Secure Contact Form had been removed from the WordPress repository. I assumed that this was Wordfence catching up on the problem with this plugin and that the delay was, perhaps, due to my not being a premium subscriber. But, given the posting above from Rideplan, that doesn’t seem to be the case.

I now wonder if it was my action of updating the plugin that changed the alert from ‘needs an update’ to ‘withdrawn’. Given that the update is required to clean up the plugin, there is an element of logic in that approach but it still doesn’t explain why the ‘needs an update’ alert wasn’t flagged as critical.

So there does seem to be something odd about the way Wordfence has handled the alerts for this plugin. Slightly dents my (great) faith in Wordfence to keep me safe from rogue plugins.

Hi @aenea
Actually, both warnings are correct, I mean the plugin was updated and removed from WordPress repository almost at the same time when the malicious code was removed, so that anyone who updated the plugin would get a clean version on their site.

You can see the revision here with the comment:
“Remove versions 4.0.53, 4.0.54, and 4.0.55 for malicious code. Bump to 4.0.56, using a copy of 4.0.52. All malicious changes reverted.”

At the same time, the plugin was also removed from the repository. This left the plugin in sort of a limbo where was removed, but not quite fully removed. You can see a comment from Otto (who works for the www.ads-software.com plugin team) here that refers to this “hidden but updating” status of plugins.

This is not something that is affecting all removed plugins, but only these odd cases that Otto is referring to. We will investigate this and make any changes necessary as soon as we can.

Thanks.