WPCandy has been made aware of a security issue at WPEngine, a WP hosting site that launched earlier this year. According to WPEngine the security issue allowed users admin access to blogs on the WPEngine network. Passwords have since been changed and, according to WPEngine, that particular hole was closed.
WPEngine has not confirmed the exact nature of the issue, though Aaron Brazell of WPEngine said:
We did have a security issue that was brought to our attention and quickly cleaned up. I cannot comment on the specifics. However, the vulnerability would allow admin access to blogs on our network.
Sucuri privately informed WPEngine of the issue we found and they had a patch to remediate the vulnerability within an hour. It was an interesting issue that should have never occured, but it did, and they pony’d up and fixed quickly.
We have been in contact with their staff since the issue was discovered and they’re implementing further security controls to continue hardening their system. All in all, this is the type of response you’d ike to see from any vendor.
Sucuri does not disclose any security vulnerabilities without contacting the vendor before hand, and only then if the issue is exposed and fixes need to be posted.
While unconfirmed by WPEngine or Sucuri Security, according to our unnamed source WPEngine had created an admin user account on each of their hosted sites using the same username and password, so as to be able to log in to each of the sites. This admin login information was then used in a plugin which stored the information in plain text to any user on the Edit Plugins screen. The screenshots below, also provided to us by our source, will help to communicate the alleged nature of the vulnerability.
The screenshot and description above was provided by WPCandy’s unnamed source, and has not been verified by WPEngine or Sucuri Security.
Regarding the issue, Brazell said:
As a startup, we try to be nimble and adjust with needs. Sometimes the need for adaptability ends up costing by introducing a security issue. Obviously, we regret this. We take security very seriously as it is part of our entire pitch.
Though this issue was quickly fixed, and we don’t believe has been exploited, we are already in the process of doing a full security review of our internal code and processes.
It is not clear how long this vulnerability has been present, though Brazell did say it was introduced “recently”.