Major Security issues with wpo-plugins-tables-list.json

  • Resolved stevenmaas

    (@stevenmaas)


    3 years, 1 month ago

    The WP-Optimize plugin creates the file wpo-plugins-tables-list.json. The file contains all the plugin information for my website and is a major security issue. Your file has created a blueprint for recent hacking attempts on several of my websites. Server log files determined that these hackers were using plugin information found in the wpo-plugins-tables-list.json to exploit plugins on our websites.

    I use the WP Hide plugin to disable the WordPress REST API as well as other files. This was necessary due to daily hacking attempts. However WP-Optimize is still exposing this sensitive information.

    How can you disable the file from being generated? You should inform your users that your plugin creates the wpo-plugins-tables-list.json and it that it contains all the plugin information for the website.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Harshad

    (@bornforphp)

    3 years, 1 month ago

    @stevenmaas Thanks for reporting this, I’ll share this with our development team to further investigate.

    Marc Lacroix

    (@marcusig)

    3 years, 1 month ago

    Hi @stevenmaas,

    The file contains all the plugin information for my website

    wpo-plugins-tables-list.json doesn’t contain any specific information about yours or any website. What it contains is a general and anonymous list of plugins and their associated database tables.

    This list is used to compare with your database in order to determine which tables are used by which plugins.

    If found by an attacker, the only real information they would get from that file is that WP-Optimize is installed.

    Your file has created a blueprint for recent hacking attempts on several of my websites. Server log files determined that these hackers were using plugin information found in the wpo-plugins-tables-list.json to exploit plugins on our websites

    Could you explain what makes think the above?

    Best regards,
    Marc

    Thread Starter stevenmaas

    (@stevenmaas)

    3 years, 1 month ago

    Marc:
    Server logs show attackers accessing the wpo-plugins-tables-list.json file. You should notify your users when you create files that expose this sensitive information.

    How do you disable this file from being created?
    Why is this file created by your plugin?

    Marc Lacroix

    (@marcusig)

    3 years, 1 month ago

    You can disable this by using the following filter:

    add_filter( 'wpo_update_plugin_json', '__return_false' );

    The data is used in the database optimisations in order to determine if tables are used or belong to uninstalled / deactivated plugins.

    I’ll reiterate that the data in this file does not contain sensitive information, and none of the information is directly linked to the website the plugin is installed on.

    It’s a list of plugins present on WP.org’s repository and their associated database tables. The only information given by this file is that WP-Optimize is installed on your website.

    Thread Starter stevenmaas

    (@stevenmaas)

    3 years, 1 month ago

    The data is used in the database optimisations in order to determine if tables are used or belong to uninstalled / deactivated plugins.

    Can this be achieved without creating the json file for everyone on the internet to see?

    I would highly recommend trying to keep a zero WordPress fingerprint on your plugin. I receive thousands of attempts to hack our websites on a monthly basis. This all due to the standardization of the WordPress structure. Over 70% of traffic on all websites is to try and hack WordPress.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Major Security issues with wpo-plugins-tables-list.json’ is closed to new replies.