Wordfence Insecure plugin

Viewing 10 replies - 1 through 10 (of 10 total)
  • MisterR

    (@mister_r)

    2 months, 1 week ago

    I also got a vulnerability report from Kinsta this morning.

    roundaboutweb

    (@roundaboutweb)

    2 months, 1 week ago

    Since there has been no update for this plugin for two years, I assume that this security vulnerability will never be fixed and that this plugin should therefore no longer be used.

    MisterR

    (@mister_r)

    2 months, 1 week ago

    @roundaboutweb, you are right. It’s hard to believe that @rosell.dk will update the plugin in the near future.

    Does anyone have a good free alternative?

    Thread Starter juanantonio

    (@juanantonio)

    2 months ago

    Maybe the fix is easy and someone may do it and share.

    Gemini -> In versions 0.25.9 and earlier, the webp-on-demand.php script likely used a hardcoded or predictable path logic to find its configuration file, similar to this simplified vulnerable code:

    // webp-on-demand.php (Vulnerable implementation logic)

    // The configuration filename is hardcoded and predictable.
    $config_filename = ‘webp-on-demand-config.json’;
    $config_filepath = $config_directory . $config_filename;

    // This path can be easily guessed by an attacker:
    // /wp-content/webp-express/webp-on-demand-config.json

    // webp-on-demand.php (Fixed implementation logic)

    // 1. Get the unique token/salt stored during plugin activation.
    // This token is unique to this WordPress install and hard to guess.
    $security_token = get_option(‘webp_express_config_salt’, ‘default_fallback’);

    // 2. Use the token to create an unpredictable configuration filename.
    $config_filename = ‘webp-on-demand-‘ . $security_token . ‘.json’;
    $config_filepath = $config_directory . $config_filename;

    // The full path is now non-guessable, blocking unauthenticated direct access.
    // Example: /wp-content/webp-express/webp-on-demand-a8b2c4f1d9e7.json

    Dont tried, but maybe someone can confirm.



    jones8896

    (@jones8896)

    2 months ago

    This is not a real vuln because exposed information is useless for potential attackers. Besides, abs path can be obtained via other methods. But, temp fix:

    add this to your nginx vhost (and reboot nginx servce):

    location ~* ^/wp-content/webp-express/config/.*\.json$ {
        access_log off;
        log_not_found off;
        return 403;
      }

    This will deny public access to plugin’s config files.

    Note: no need to do this for Apache because .htaccess files are added by the plugin already (that is why CVE mentions only Nginx).

    Wishlight

    (@wishlight)

    2 months ago

    I’m thinking of installing Avif Express by Pijush Gupta. It’s basically the same functionality, just with fewer buttons. Transparent avif requires a gd with avif support. Webp works out of the box and seems to work the same way. But I’ll only do that if @rosell.dk doesn’t update the plugin.

    Plugin Author rosell.dk

    (@roselldk)

    1 month, 3 weeks ago

    I have a PR ready with a fix
    It needs testing, but I’m too tired to do that now (its way past my bed time).

    Those of you who might be able to test a pull request are very welcome to check it.
    Its here: https://github.com/rosell-dk/webp-express/pull/619

    I expect to upload tomorrow. Perhaps only for testing, perhaps I publish directly.
    I expect it to take some time for the WordPress crew to approve the changes though. We will see.

    Plugin Author rosell.dk

    (@roselldk)

    1 month, 3 weeks ago

    The fix is now published

    • This reply was modified 1 month, 3 weeks ago by rosell.dk.
    Thread Starter juanantonio

    (@juanantonio)

    1 month, 3 weeks ago

    Thanks so much, Rosell, for fixing and sharing the update — really appreciate your help on that.

    Plugin Author rosell.dk

    (@roselldk)

    1 month, 2 weeks ago

    Marking as resolved

Viewing 10 replies - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.