Wordfence Vulnerability

  • Regarding this notice: Vulnerability in UpdraftPlus Allowed Subscribers to Download Sensitive Backups

    I find it appalling the Wordfence team would even slightly consider patching this vulnerability for Premium, Care and Response customers right away and make the Free customers wait 30 days?!?!?!!!! WTH.
    It’s YOUR plugin that has put everyone’s data at risk and has opened the door to serious consequence for all site owners regardless of status. You guys need to take care of your customer base for the serious issues that open us up to potential lawsuits.
    The fact that I have to sit and write this comment is disgusting.

    “Wordfence Premium, Care, and Response customers received this rule today, February 17, 2022, while Wordfence Free users will receive this rule after 30 days on March 19, 2022.”

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)

  • Hi ksteele76.

    We did not write the code that led to this vulnerability, nor do we distribute the vulnerable plugin, nor are we associated with UpdraftPlus in any way other than our reporting on it and distribution of a firewall rule to block exploit attempts against it. Our firewall rules block attacks against vulnerabilities but they do not directly change the code of the vulnerable plugin. The free version of Wordfence alerts you when you have a vulnerable plugin installed, and the best, and recommended, solution to this vulnerability is simply to update the UpdraftPlus plugin. Our firewall rules are not intended to be a long-term substitute for keeping your plugins up to date – they allow busy site owners more time to test and prepare for updates. We do release our firewall rules to our free users after 30 days for the benefit of the community, but the solutions we offer to our free users might require some effort on your part, such as updating your plugins after you have been alerted to a vulnerability.

    Thanks,

    Ram Gall
    Wordfence QA Engineer and Threat Analyst

    • This reply was modified 2 years, 9 months ago by ramwf.
    • This reply was modified 2 years, 9 months ago by ramwf.
    • This reply was modified 2 years, 9 months ago by ramwf.
    Plugin Author Wordfence Security

    (@mmaunder)

    I think the author thinks that we created the vulnerability or are somehow responsible for the code that was vulnerable – and that somehow our intent was malicious.

    Wordfence works with vendors to help them secure their code. We do this confidentially. That helps keep the entire community safe.

    We also happen to have a firewall product. To provide protection to users of our firewall product, we create firewall rules and release them. When and how we release these rules is up to us. So we release them to our paid customers first, and then to our free customers 30 days later. We’ve been doing this for years, and this is a common practice in the cybersecurity industry.

    Saying that “It’s YOUR plugin that has put everyone’s data at risk and has opened the door to serious consequence for all site owners” is of course false. Our team regularly FINDS vulnerabilities that help keep site owners safe. We also frequently find vulnerabilities that hackers are actively exploiting and make the community aware of these.

    Having said all that, I’d hate to see this author target the vendor for writing a bug that led to a vulnerability. Vulnerabilities are simply celebrity bugs. If you write enough code, you write bugs, and you’ll eventually write a bug that a hacker can exploit to gain access to a system. It’s a normal day-to-day occurrence in software development, and researchers finding those bugs and helping fix them is a normal day-to-day occurrence in the cybersecurity industry.

    Regards,

    Mark Maunder – Founder & CEO.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Wordfence Vulnerability’ is closed to new replies.