Wordfence Launches Holiday Bug Bounty Program for WordPress
/ 4 min read
Quick take - The Wordfence Bug Bounty Program is hosting the End of Year Holiday Extravaganza and the WordPress Superhero Challenge until December 9, 2024, inviting researchers to report vulnerabilities in WordPress plugins and themes, with recent significant vulnerabilities identified in the Anti-Spam by CleanTalk plugin leading to bounties awarded for their discovery and subsequent patches released to address these security risks.
Fast Facts
- The Wordfence Bug Bounty Program’s End of Year Holiday Extravaganza runs until December 9, 2024, inviting researchers to report vulnerabilities in WordPress plugins and themes with 1,000+ active installations.
- Valid submissions can earn a minimum bounty of $5, with high-impact vulnerabilities potentially yielding up to $31,200, and researchers may receive bonuses of 5% to 180%.
- Significant vulnerabilities were found in the Anti-Spam by CleanTalk plugin, allowing unauthenticated attackers to install arbitrary plugins, leading to potential remote code execution.
- Patches for the identified vulnerabilities were released on November 1 and November 14, 2024, and users are urged to update to version 6.45 to mitigate risks.
- Wordfence has implemented firewall rules to protect users against these vulnerabilities, with free version users receiving access to these protections on November 29 and December 4, 2024.
Wordfence Bug Bounty Program: End of Year Holiday Extravaganza
The Wordfence Bug Bounty Program is currently hosting the End of Year Holiday Extravaganza and the WordPress Superhero Challenge. This initiative will run until December 9, 2024. Researchers are invited to report vulnerabilities in WordPress plugins and themes, focusing on those with 1,000 or more active installations. Plugins and themes with 50-999 active installations are also included, provided they are hosted in the WordPress.org repository and have been updated within the last two years.
Bounty Details
The minimum bounty for valid submissions is set at $5, with researchers eligible for automatic bonuses ranging from 5% to 180%. High-impact vulnerabilities can result in bounties as high as $31,200. Recently, significant vulnerabilities were identified in the Anti-Spam by CleanTalk plugin, which has over 200,000 active installations.
On October 30, 2024, a submission was made regarding an Authorization Bypass via Reverse DNS Spoofing vulnerability. This vulnerability allows unauthenticated attackers to install and activate arbitrary plugins, potentially leading to remote code execution. Following this, another vulnerability was discovered on November 4, 2024, with similar implications.
Researcher Recognition and Security Measures
The researcher, identified as mikemyers, reported the first vulnerability and was awarded a bounty of $4,095.00 for their findings. Wordfence’s mission emphasizes enhancing web security through collaboration with researchers via the Bug Bounty Program. To protect users, Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule on October 30, 2024, guarding against the first vulnerability. Free version users will gain access to this protection on November 29, 2024. A second firewall rule for the vulnerability discovered on November 4, 2024, was provided to Wordfence Premium, Care, and Response users the same day, with free version users receiving it on December 4, 2024.
The CleanTalk team was contacted on October 30, 2024, and they responded the same day. Patches addressing the vulnerabilities were released on November 1, 2024, followed by a second patch on November 14, 2024. Users are strongly urged to update to the latest patched version of the Anti-Spam by CleanTalk plugin, version 6.45, as earlier versions, up to 6.43.2, are susceptible to unauthorized arbitrary plugin installations due to the aforementioned authorization bypass. Additionally, versions up to 6.44 are vulnerable due to a missing empty value check on the ‘api_key’ in the ‘perform’ function.
These vulnerabilities pose a critical risk, allowing unauthenticated attackers to exploit installations and activate arbitrary plugins, potentially leading to remote code execution if another vulnerable plugin is present. Wordfence advises all users to ensure their sites are updated to the latest patched version to mitigate these risks effectively.
Original Source: Read the Full Article Here
