Addressing Security Concerns Related to WPCode Usage

  • Resolved parogdev

    (@parogdev)


    3 months ago

    Hi @gripgrip,

    I’m Parog, and I’m both a WordPress plugin developer and a security enthusiast. I recently encountered an issue on a client’s website that was redirecting traffic to malicious sites. During my investigation, I noticed that WPCode was being used as part of the exploit strategy, which led me to reach out.

    While I understand that a compromised access point, likely through another plugin or credentials, was necessary to leverage WPCode in this attack, I’m concerned about the potential security risks associated with your plugin. Specifically, WPCode’s functionality can be appealing to those with malicious intent, particularly because it can be easily hidden to run server-side scripts.

    I recognize that there are limits to what you can do as a developer, and I appreciate the value your plugin brings to many users. However, I believe there might be room for improvement in addressing the risks posed by those who seek to misuse WPCode. For instance, implementing safeguards that prevent the execution of user-input code if the plugin is hidden from the plugin list could be a meaningful step towards mitigating these risks.

    My intent in reaching out is not to criticize, but rather to share my observations and hope that they might contribute to further strengthening the security of your plugin. By proactively addressing these concerns, I believe WPCode can avoid negative feedback and continue to be a trusted tool within the WordPress community.

    For context, here’s how the attack is being used: the infected site in question did not have WPCode installed prior to the breach, and the method of infection remains unclear. I found this article that might be relevant: Link to Article.

    Thank you for your time and consideration. I’m happy to discuss this further if you have any questions or need additional insights.

    PS: Version 2.1.12 seems to be the version being installed by script kiddies at the moment, if it can be any help.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Mircea Sandu

    (@gripgrip)

    Hi @parogdev,

    Thank you for reaching out and for your suggestions. We will look into what options we have to limit the plugin execution if the plugin is hidden. If you have other suggestions here please post them here or reach out using the form at https://wpcode.com/contact and we’ll look into implementing them.

    Regarding mitigation here, we added extra checks in the plugin that prevent execution of common malicious patterns in a code snippet but there’s a limit to what we can do from the plugin due to the plugin being open source. Once a malicious user has administrator level access to a website, they can overcome most checks we add in the plugin.

    If you can install any plugin as an administrator you can even make a copy of WPCode, remove any checks we have and simply upload the plugin to the site – there’s no way for us to mitigate that.

    It ultimately comes down to having basic security checks in place that start with having strong passwords that are not used on any other website.

    Thread Starter parogdev

    (@parogdev)

    The incident I handled was halted (the access was) by the using a 2FA plugin.

    Maybe suggesting it would be an idea. I know this is not entirely your products fault, but being able to show that you take the security of your users at heart would go a long way for the bad reviews you are getting.

    Thanks for your response. Best of luck with your plugin!

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.