Pattern of Security Vulnerabilities in iThemes Security Plugin

  • This plugin has had a pattern of security vulnerabilities.

    In 2016 alone, there were 4 serious security vulnerabilities published in the iThemes Security plugin:

    • Potential Authenticated DOM Cross-Site Scripting (XSS)
    • Insecure Backup/Logfile Generation
    • Lack of Capability Check
    • Unauthenticated Stored Cross-Site Scripting (XSS)

    I would say that 3 vulnerabilities in a plugin of this type over a 2 year period would be too much, but 4 in 1 year is excessive. In all, your plugin has had 11 known vulnerabilities from August 1, 2014 to October 6, 2016 – just over 2 years. That is an extraordinarily high number for that short time period!

    Even more alarming than the quantity of known exploits, is the fact that almost all of your plugin’s security vulnerabilities are easily predictable and therefore preventable if you have some basic security knowledge.

    While your plugin may prevent certain specific security issues, by missing some basic security practices, you are opening up websites to other new vulnerabilities. This makes it seem that your development team doesn’t have a good grasp of security principles. And unfortunately, for a dev team that works on a security plugin, that doesn’t work.

    One thing I will say in your defense – this is definitely a good trait – by all reports you have responded quickly to reported vulnerabilities, and issued fixes very quickly. So kudos on that…not everyone is so responsive.

    Unfortunately however, with security it’s not enough to be responsive…it’s essential to predict and prevent threats.

    Most end users will have no idea that your plugin is introducing new attack vectors into their site. They will think the plugin is working fine. (Until their site gets hacked.) And it may work quite well for the specific tasks you want it to accomplish. But the security issues negate the benefit, without users knowing any better.

    From what we have read, you have had your own website hacked, and outsource your own website security to another company.

    The question needs to be asked: If you don’t even manage your own security, should you really be developing a security plugin?

    Here’s my point – please answer these questions:

    • What are your plans to improve this plugin’s security and prevent new security vulnerabilities from emerging in the future?
    • Are you going to hire any security experts to be part of the development team for this plugin, and improve its security moving forward?
    • Do you have any plans to have security experts audit the plugin before each release?
    • Is your development team going to receive advanced security training?

    If your answer is to any of these questions is “No”, or you don’t have a clear answer, then the only ethical thing to do would be to retire the plugin altogether, or hand it off to a different development team that is competent in cybersecurity, and specifically WordPress security.

    Looking forward to your response. Thank you for your time.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter blackhawkcybersec

    (@blackhawkcybersec)

    So…no response?

    @blackhawkcybersec

    According to the FAQ section in the readme.txt file:

    = Where can I get help if something goes wrong? =
    * Official support for this plugin is available for iThemes Security Pro customers. Our team of experts is ready to help.

    Free support may be available with the help of the community in the www.remarpro.com support forums (Note: this is community-provided support. iThemes does not monitor the www.remarpro.com support forums).

    Thread Starter blackhawkcybersec

    (@blackhawkcybersec)

    @pronl

    I appreciate your response, but I’m not sure why you’re sharing that, as it’s not exactly relevant. This is not about iThemes Security Pro (although it would share the same issues)…it’s about the free version.

    Are you part of the iThemes team? If so, that should be disclosed on your profile, and you should be added to the list of developers. (We noticed that you respond to a lot of support requests for the iThemes security plugin.) If you are not part of their team, then our post was not directed to you. These issues need to be addressed by the iThemes Security team.

    Even if a plugin developer does not provide free support (which says a lot), they should at the very least monitor the support forums and redirect users to the official support venue. By not even monitoring the forums, they are making a willful decision to ignore their user’s feedback and needs. User feedback is a valuable tool to guide a development team, and ignoring that is an unwise move.

    The issue we posted is serious, and the community needs to be aware of it. The iThemes Security team needs to address these issues.

    @blackhawkcybersec

    Just trying to set the right expectations.

    And no I’m not with iThemes. This is a public forum. Therefore anyone from the community can contribute to any topic.

    Totally agree with the rest of your post though.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Pattern of Security Vulnerabilities in iThemes Security Plugin’ is closed to new replies.