ramwf

An update – after further review, the vulnerability was actually patched in version 8.4.0, meaning the current version is not vulnerable. We’ve updated our vulnerability record to reflect this and will be revisiting our processes to ensure this type of issue doesn’t happen again.

Thanks,
Ramuel Gall

Hi Liam,

Exploiting a vulnerability requires several conditions:

1. A vulnerable software component running on your site
2. An attack that can successfully exploit that vulnerable component
3. Nothing stopping the attack from exploiting the vulnerability

Automated outside-in vulnerability scans such as Nessus tend to try a huge range of exploits and are highly prone to false positive results that require experience to interpret. OWASP ZAP is useful but not nearly as well-maintained and significantly more prone to false positive results than other offerings, and unless it is using a ruleset specifically designed for WordPress it is unlikely to detect meaningful vulnerabilities (and even then runs into the same issues as other scanners such as Nessus).

In addition to this more general set of issues, many automated vulnerability scanners will test for vulnerabilities across a wide range of systems. For instance, such a scanner might try sending out SQL injection attempts designed to attack different database systems, such as Microsoft SQL, MySQL, and others.

As WordPress runs on MySQL/MariaDB, an attack designed to exploit Microsoft SQL cannot work against WordPress, and so the Wordfence firewall would not block it because there are no vulnerable components for such an attack to exploit.

If ZAP is indicating the presence of a particular vulnerability that is not being blocked it may be worth additional investigation, but the results you’re currently seeing are very generic and do not provide sufficient information to do so.

Hello,

From the link you posted:
It is important to note that the CJEU’s Schrems II decision was focused solely on government access to data. The CJEU did not question the protections that the EU-U.S. Privacy Shield offered EU individuals in the commercial sphere. The U.S. commitments under the EU-U.S. DPF regarding signals intelligence are included in the Executive Order and regulations governing the new DPRC. 

It seems a bit extreme to rate a plugin 1 star in the hopes of warning off everyone in the EU from ever installing it again because of a legal decision that happened 2 months ago that (and I must emphasize that I am not a lawyer) does not seem to apply to this particular circumstance.

If you have been contacted by a lawyer about this and asked to pay fees, you may wish to consider the possibility that this was an opportunistic move on their part. Seeking a second legal opinion from someone who specializes in these types of cases might be an additional cost but is highly recommended.

(Disclosure: I do work for Wordfence, and we make a considerable effort to maintain compliance with data protection regulations in the regions where we do business, which includes regularly reviewing the current state of these regulations)

Hi,

The error you’re seeing is not due to a Wordfence signature detecting an issue, and it does not indicate that any vulnerabilities are present. It’s happening because something incorrectly formatted got passed to unserialize in class-wwpdf-license-api.php and the error is getting logged in the scan window. You appear to be running the premium version of the WaterWoo PDF plugin so I can’t really tell much more without looking at the code. Wordfence does run an update check on all plugins to see if any updated versions are available, and it’s likely that this is what triggered the error you’re seeing, as premium plugins frequently hook into the update check in order to retrieve available updates from the author’s website.

P.S. It’s true that Wordfence uses regular expressions to search for malicious code. This is because regular expressions are one of the most powerful and useful ways to find patterns when properly crafted. We’re continually refining the patterns we use to minimize false positives. We have over 3,000 signatures in production, and I promise none of our them are looking for anything as simple, innocuous, and widespread as “serialize(“.

• This reply was modified 5 years, 5 months ago by ramwf.

Hi CamZL1,

It sounds like your site might not be detecting IPs correctly. Could you please send over a diagnostics report via (Wordfence > Tools > Diagnostics > Send report by email) to wftest [at] wordfence [dot] com

Please include your forum username (CamZL1) in that second field and I’ll take a look for you!

Thanks,
Ram

Hi vincentejc,

Speaking for Wordfence, it looks like that particular result was likely a false positive. Usually Wordfence adds plugins in the ww.wp.xz.cn repository to our list of allowed files, but on occasion a new version of a plugin will contain an updated file that matches one of our malware detection signatures before we have a chance to add it to our allowed list. During this time the malware scan may detect the updated file even though it is a false positive. At this time you should no longer see this scan result.

Hi dccorp,

In standard PHP-FPM configurations, a typical firewall optimization makes a change to the PHP configuration by adding an auto_prepend_file directive to .user.ini. The .user.ini file by default has a cache TTL of 5 minutes, after which the TTL would expire and the new configuration would be used. If this directive is instead added to php.ini or another higher-level configuration file for the site it may be necessary for the php-fpm service to be manually restarted. Depending on how virtualmin/webmin handles this it is possible that manually restarting the php-fpm service is the only option on your configuration. Most of the documentation I’ve found for virtualmin/webmin appears to indicate that restarting the php-fpm service is necessary when making any change to the PHP configuration.

Thanks,
Ram

Hi Kuyhaa,

The “?wordfence_syncAttackData=” URL is used by Wordfence to migrate data from temporary storage into the database and it is normal for it to show a blank page if you attempt to visit it – it is actually what is used to update Live Traffic. To stop seeing this, you can change your Live Traffic settings to “Security Only”.

As far as the issue with connecting back to your own site is concerned, this means that your site is sending requests to itself (such as the wordfence_syncAttackData request). If you go to Wordfence->Tools->Diagnostics, there should be a listing of “IP(s) used by this server” under “Connectivity”. You’ll want to make sure that none of these IPs are blocked. If the issue persists, you may need to contact your hosting provider for further assistance.

Thanks,
Ram