WPEngine security vulnerability gave admin access to any users


WPCandy has been made aware of a security issue at WPEngine, a WP hosting site that launched earlier this year. According to WPEngine the security issue allowed users admin access to blogs on the WPEngine network. Passwords have since been changed and, according to WPEngine, that particular hole was closed.

WPEngine has not confirmed the exact nature of the issue, though Aaron Brazell of WPEngine said:

We did have a security issue that was brought to our attention and quickly cleaned up. I cannot comment on the specifics. However, the vulnerability would allow admin access to blogs on our network.

Dre Armeda of Sucuri Security was first to find and notify WPEngine of the issue. Armeda said:

Sucuri privately informed WPEngine of the issue we found and they had a patch to remediate the vulnerability within an hour. It was an interesting issue that should have never occured, but it did, and they pony’d up and fixed quickly.

We have been in contact with their staff since the issue was discovered and they’re implementing further security controls to continue hardening their system. All in all, this is the type of response you’d ike to see from any vendor.

Sucuri does not disclose any security vulnerabilities without contacting the vendor before hand, and only then if the issue is exposed and fixes need to be posted.

While unconfirmed by WPEngine or Sucuri Security, according to our unnamed source WPEngine had created an admin user account on each of their hosted sites using the same username and password, so as to be able to log in to each of the sites. This admin login information was then used in a plugin which stored the information in plain text to any user on the Edit Plugins screen. The screenshots below, also provided to us by our source, will help to communicate the alleged nature of the vulnerability.

The screenshot above shows the information allegedly viewable from the Edit Plugins screen, with the login information blurred out.

The screenshot and description above was provided by WPCandy’s unnamed source, and has not been verified by WPEngine or Sucuri Security.

Regarding the issue, Brazell said:

As a startup, we try to be nimble and adjust with needs. Sometimes the need for adaptability ends up costing by introducing a security issue. Obviously, we regret this. We take security very seriously as it is part of our entire pitch.

Though this issue was quickly fixed, and we don’t believe has been exploited, we are already in the process of doing a full security review of our internal code and processes.

It is not clear how long this vulnerability has been present, though Brazell did say it was introduced “recently”.

WPEngine was launched in July of 2010 by Jason Cohen, Cullen Wilson, and Aaron Brazell. In October WPEngine partnered with VaultPress to bring VaultPress golden tickets to WPEngine users.

3 thoughts on “WPEngine security vulnerability gave admin access to any users

  1. Cullen from WP Engine here. I’d like to address this issue head-on and be as transparent as possible about what went down.

    As mentioned in the article we were alerted to a security vulnerability in one of our custom plugins that granted access to blogs on our platform. We patched the issue immediately and after a thorough investigation believe that zero customer data was compromised.

    At WP Engine, we’re extremely serious about security, which is why we consider it one of our main value propositions. This specific case was simply a matter of scrappy startup syndrome. We get excited about introducing new features for our customers and with such a small team, it’s difficult to catch every single bug. The good news, however, is that we’re growing extremely fast and are actively hiring [http://goo.gl/7XllS], which means more eyes on our code and a stronger platform. We are committed to keeping our customers’ blogs secure, fast, and scalable and will continue to innovate to create a better experience for everyone running WP Engine.

    If you would like to contact us directly on the matter please feel free to do so: [email protected]

  2. Ouch… lol… that’s some rough code for a plugin… that’s something like an in-house dev script that should have never been made public.

    Well hopefully you changed your password after this 😉 *cough*gawker*cough*

  3. As a WPengine customer, just want to chip-in that I’ve had a really positive experience with their service.

Comments are closed.