Episode 105: The Hottest Trend in WordPress

An analysis of WordPress-related search trends found that interest in WooCommerce related results dominated during 2020. We discuss recent vulnerabilities discovered by our threat intelligence team in Ninja Forms, affecting over 1 million sites. WordPress issues a statement that pirated themes and plugins are prohibited on the repository. And a supply chain attack affects users of the once-legitimate Barcode Scanner Android app. We also discuss some career opportunities on the Wordfence team.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:31 Wordfence is hiring for numerous roles, including PHP development, and Security/Operations
1:50 Our K-12 site audit and site cleaning program continues
2:30 Our threat intelligence team discovered numerous vulnerabilities in Ninja Forms
6:25 WordPress issues a statement about pirated themes and plugins on repositories
10:00 WordPress search terms for 2020
13:51 Supply chain attack on Android Barcode Scanner app, reminiscent of Mason Soiza supply chain attacks.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 105 Transcript

Ram Gall:
Hello, and welcome to Think Like a Hacker, the podcast about WordPress security and innovation. I’m Ram Gall, Threat Analyst at Wordfence. And with me is Director of Marketing, Kathy Zant. Hey Kathy, how are things, other than very cold?

Kathy Zant:
It’s cold. I haven’t really talked a lot about my move to Texas, but I think I might need some therapy after moving to Texas and then having this historic storm basically cripple the entire state. It has been interesting times, but there’s some interesting times in WordPress security, so let’s just jump right into it. Hey, I hear we are hiring.

Ram:
That we are. We are hiring for a SecOps role. So if your OpSec is good and you’re good at Sec and Ops, please apply. Also, we’re hiring a senior PHP Dev.

Kathy:
All right. I was going to ask you to explain. Usually I’m asking you to explain things, but if you don’t know what SecOps is, it’s probably not the role for you. But if you do know what it is, we’d love to talk to you. This job comes with a number of challenges and interesting fun things to play with, as well as a great team, an amazing team, and you would be contributing to helping us to secure 4 million plus WordPress sites. So it’s a very rewarding position, as is the senior PHP role, we’ve got a lot of things going on, don’t we?

Ram:
We do. Securing our infrastructure and taking part in our operations is something that we are hoping to get some cool people for.

Kathy:
Yeah, definitely. And do you get a percussion instrument as part of your welcome package?

Ram:
You do. I got a gong, but I mean, if you want a bell or some chimes. We could maybe swing a xylophone, if depending on… I don’t know. You’d have to check with…

Kathy:
Check with HR. HR handles percussion around here.

Ram:
Yeah, it’s true.

Kathy:
We definitely have a lot of fun. We also have another initiative we want to just bring to your attention, and this is our K-12 site cleaning and site audit initiative. If you are, or you know of, a K through 12, meaning kids, school that is using WordPress, that it may need some security auditing, may have a security concern that needs a site cleaning, we will do it at no charge. Part of our initiative to educate the educators on security, and our way of giving back to schools that are using WordPress. So we will have a link to that in the show notes, but just wanted to mention that. That if you know of a school, please forward that on to them.

And it looks like Chloe found some severe vulnerabilities in Ninja Forms. Ram, what did she find?

Ram:
Okay. Well, first of all, Ninja Forms is installed on over 1 million WordPress sites.

Kathy:
1 million. Oh, that sounds…

Ram:
1 million. They’re actually pretty cool people, we love them. They have an actual security policy and an email address to email disclosures to, so they usually get on problems real quick. We found issues with their plugin the past, and they’re just very helpful, they get stuff fixed quickly. They have a great response.

Ram:
Anyways, Chloe found four vulnerabilities. So two of them we kind of have to use together. One of them was basically a flaw that let attackers redirect site administrators to arbitrary locations. So you could send a link to an administrator that looks like it’s going to their own website, but it’ll really redirect them to like maliciousdomain.com. And I mean, that’s one of the reasons you don’t click on random links in email, but there are several others.

Ram:
So the second one, this was really interesting. It made it possible for anyone with an account on the site, like a subscriber or a shopper or a customer, to install a plugin, a specific plugin that could be used to intercept all mail traffic. But this is where the third flaw comes in is that, basically, if an attacker installed that plugin and actually set it up, which they could do, they could retrieve the OAuth connection key and basically establish a connection with the Ninja Forms central management dashboard for the attacker’s account.

Kathy:
Oh wow.

Ram:
And that’s where they could actually read mail traffic coming from the site, which if you reset the password for an admin user, then you can just intercept the email and go, “Oh hey, I can click this link and reset this admin’s password to whatever I want it to be. Muahahahaha.” So yeah. I never would have considered that particular attack vector, but Chloe found a way to make it work, so I’m super impressed.

Kathy:
Wow. That’s pretty amazing. So the attacker would have to have an account with Ninja Forms in order to exploit that, so probably not a lot of attackers would be doing that.

Ram:
I mean, even the trial costs like a dollar I think, so this is something that would be reserved for high-value targets. But at the same time, it’s the sort of thing that if there’s a site that you’re specifically targeting, an attacker that’s motivated enough might find that extremely attractive to be able to read all the mail sent from that site.

Kathy:
And honestly, my site is a high-value target — to me — if it’s being attacked.

Ram:
Yes, it is, Kathy.

Kathy:
I’m putting myself in the shoes of an average site owner who maybe is doing something with WooCommerce and has a number of orders coming in. And that is a very high-value target to them if their site is compromised with something like that. Value is obviously in the eye of the valuer. If that’s even a saying.

Ram:
Yeah, there’s definitely some sites that would be worth it to an attacker to target like this. So we’re very glad that they patched it. We also have firewall rules protecting our users, of course. And there was a final flaw, where attackers could trick an administrator into clicking a link and disconnecting their own connection to Ninja Forms if they had that set up. That’s typically not going to be quite as big of a deal, mostly just a nuisance, unless of course the attacker needed to set this up in the first place and couldn’t because it was already connected.

Kathy:
So this was fully patched in version 3.4.34.1. We have firewall rules and it looks like premium customers are protected. And by the time you hear this podcast, free customers of Wordfence will be protected as well, but you should still always update your plugins.

Ram:
Update. Always update your plugins, please.

Kathy:
Definitely. All right. Looks like Search Engine Journal had an interesting story about pirated themes and plugins on the official WordPress site. That looks pretty interesting. I wouldn’t imagine that there would be pirated themes and plugins on WordPress.org, but there’s a repo of many themes and over 50,000 plugins. And so, if you are an attacker or someone who is trying to get something out to many people, you might want to pirate a theme and put some malware in it or something.

Ram:
I mean, you might. And we did do some research earlier this year about how malware from nulled pirated themes and plugins was one of the biggest threats facing WordPress. In this case, it looks like the main issues is that people were basically taking premium plugins and themes and just reposting the code verbatim onto the free repository without any changes, according to what they’re claiming. Which is basically taking credit for someone else’s work. All WordPress plugins, at least all plugins on the repo, are licensed under the GPL because they’re derivative works. So WordPress is not opposed to people reusing each other’s code if they’re making something new out of it. But this was literally just basically plagiarism. And the fact that WordPress is very much big on free software, if they’re saying it’s a problem, then it’s actually a problem.

Kathy:
Gotcha. So somebody is buying something from CodeCanyon perhaps, and then repurposing that as their own and putting it on the repo?

Ram:
Yeah. Yeah. It sounds like that is what is happening. Wouldn’t be super surprised if they’re maybe not also adding a few little extra bits of code or if they might be planning on doing that at some point in the future. We do know that WordPress does examine plugins when they’re first added, but then updates might not be monitored as widely. It’s possible that this may have been a strategy to rack up a fairly high install count and then maybe insert some sort of supply chain malware.

Kathy:
Yeah. Otherwise, I don’t really understand what the motivation is of somebody spending money to buy somebody else’s plugin off of CodeCanyon and then putting it on the repo. There has to be some other kind of motive for them to do that beyond just putting it on the repo.

Ram:
One can assume that there’s likely some sort of monetary motive, but there’s so many paths that could take. Could be someone making a competing premium plugin, trying to devalue their competitor’s plugin, who knows.

Kathy:
Sure, sure. Well, WordPress is now powering over 40% of the web. It is a huge behemoth of a community, a behemoth of a content management system. It is a target for all sorts of things, including this very odd thing.

Ram:
I just like saying behemoth.

Kathy:
It is a fun word, that and plethora, right?

Ram:
Yes.

Kathy:
So I mean, we’re going to see things like this, and it’s really great to see that the .org team is issuing a statement that they are aware that this is happening and that they’re going to ensure that if it is someone else’s code with some kind of copyright, or even if it’s GPL and it’s someone else’s code, that they’re taking a stance that this is unacceptable.

Ram:
Even if your code is allowed to be copied for derivative works, that doesn’t necessarily mean that the pictures or advertising copy is something that isn’t copyrighted. The code might be duplicable, but the person who made the original plugin still owns the pictures and the other creative work.

Kathy:
Right. Okay. Well, this’ll be interesting to watch to see what happens there. And so, I found some interesting statistics. This came from the MasterWP weekly newsletter, which is a fascinating newsletter, we’ll have a link to it in our show notes. But they were not only talking about WordPress’ market share, but they started looking at search terms and search trends for WordPress over the last year. WordPress keywords increased by 14%, plugin keywords increased 17.8%, themes only 8.7%. But guess what was 44.3%, Ram?

Ram:
I don’t know.

Kathy:
You do too know, you’re looking at the same thing I’m looking at. I was going to give the big bang to you.

Ram:
Okay, okay, okay. It’s WooCommerce. Yes, I know.

Kathy:
It’s WooCommerce. Commerce on WordPress increased 44.3%. So this is WordPress, WooCommerce, and looking for specific things for WooCommerce, but it basically is showing us that there is… Well, obviously, WordPress is a content management system. It started as a blogging platform, but now there’s over 50,000 plugins that you can plug into it. You can create a membership site, you can create newsletters, you can create a learning management system. There are tons of things you can do with WordPress, but the thing people are doing, I think, the most with WordPress looks like WooCommerce. At least that’s what the search traffic is showing us. WooCommerce and WordPress seems to be a growing use case, which means, I would assume, that security and WooCommerce… If you’re taking credit card transaction, security in WooCommerce is a huge thing as well. So for those of us in the WordPress space, I find this to be interesting.

Ram:
It makes sense to me. I think a lot of people are starting to open up online stores for side gigs these days.

Kathy:
Yeah.

Ram:
And I mean, don’t get me wrong, WooCommerce isn’t easy to use, but if you’ve tried any of the other free open source e-commerce alternatives, it’s still significantly easier than, say, Magento or any of the Joomla or Drupal add-ons that you might be able to use. The only easier alternatives are pay to play.

Kathy:
Right, right. Like Shopify is so huge. I mean, obviously, they are the e-commerce hosted solution, but you can also publish blog posts. And there are people in the Shopify world who are like, “Oh, I’m going to use this as my content management system.” But as far as getting started, open source, getting your storefront up, WordPress and WooCommerce is the easiest way to go. So some more statistics: 6,500 searches per month looking for a membership solution, 4,300 a month want to use their store for drop shipping, 3,100 a month want a point of sale solution for using WooCommerce in a physical shop, which I thought was interesting as well.

Ram:
That’s a very peculiar and weird thing considering, I mean, a lot of people are just using Square, which incidentally is one of the default payment gateways for WooCommerce.

Kathy:
Sure. Sure. Well, I mean, if you’re really thinking forward as a shop owner and you’re using just your payment processor, trying to actually take those customers and then mail to them would be many steps that you would have to go through in order to do that. But if you’re using a WooCommerce, all of your customers are right there. You can use another plugin and then access those customers for a mailing perhaps, those types of things. So either way, it’s interesting to see that so many people are using WordPress for WooCommerce.

Ram:
It is. I’m going to digress at this point and cover our next item. And it’s something that we’ve actually talked about before in the podcast and also in articles, but there’s a new supply chain attack. So the barcode scanner app for Android, which I think many of you may have downloaded. I know that at some point in the past I actually downloaded it and removed it because I don’t actually need a barcode scanner very often. But it’s the thing you use to scan the little QR codes with your phone. Anyways, it was a legitimate app, and then a company called Lavabird, basically, as I understand it they were acting as a middleman and they purchased the app and they were going to sell it to a new buyer. And apparently, this new buyer added some adware code to the app.

Ram:
So we’ve actually seen this dynamic happen before in WordPress. Where a man named Mason Soiza bought a number of plugins and added malicious spam, SEO spam, advertising code to those plugins. This is something that happens, attackers will actually spend money to buy a popular app or a popular plugin and inject malware into it, because that way you already have a user base. I think that that’s actually going to be a weird side effect of WordPress automatic updates becoming more of a thing, a sort of unanticipated knock-on effect. Is that with automatic updates being more likely to happen, I think that’s going to make WordPress plugins a more attractive target, because if you can buy a plugin that already has a lot of users, you’re more likely to get the malicious code distributed to more of them if they have automatic updates turned on.

Kathy:
Yeah. Interesting. So the software you trust today might not be the software that’s trustworthy in the future, huh?

Ram:
Exactly.

Kathy:
Yeah. Interesting. Okay. Well, we still have our recommendations. I don’t think they’re changing much about automatic updates and that…

Ram:
We do think you should still manually update your plugins all the time.

Kathy:
If you can. I mean, if you’re just sitting there and letting your site be and you’re only using trusted software from organizations that have a long history of maintaining their code, you’re good. Turn those automatic updates on. But if your plugin author is named Mason, Mason Soiza, maybe… No, I think Mason is banned, banned forever.

Ram:
From WordPress at least.

Kathy:
From WordPress, yes. Anyway, so definitely interesting story there about that Android app. Supply chain attacks seem to be the hot rage after SolarWind these days, huh?

Ram:
I mean, they’ve been going on for a while now. It’s just that all of a sudden everyone is aware that there are a bunch of ways to do this, and that some of them can be very profitable for threat actors.

Kathy:
Yeah, definitely. Well, that’s why you have security teams like Wordfence behind your site. We keep an eye on all of these things and bring you the news wherever and whenever we can. And if you want to join that team, go to the show notes and click on that employment link. We’d love to hear from you. And until next week, if you want any more news, just follow us on our social media. Come join us on Wordfence Live, we had such a fun time the other day. We talked about Wordfence Central and teams and, what else?

Ram:
Chloe demoed a lot of Wordfence Central stuff. It was pretty cool.

Kathy:
Wasn’t it cool?

Ram:
Yeah, showed how to apply templates to stuff and set event notifications. I mean, if you’ve got a bunch of sites that you’re managing, it’s super useful to be aware and to be made aware when something weird happens. You can configure it to send you an alert when an administrator logs in to one of your sites. And that way if you get that alert and it’s not you, then you know something’s weird.

Kathy:
Definitely. So that link to that Wordfence Live episode will be in the show notes as well. Definitely worth watching, and there’s timestamps and chapter links in that YouTube video, so you can jump around and get the overviews that you need. Thanks for joining me again, Ram, and I will talk to you next week.

Ram:
Yep. I will see you all next week or talk to you next week at least. Bye.

Kathy:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.