Thousands of sites running WordPress remain unpatched against a critical security flaw in a widely used plugin that was being actively exploited in attacks that allow for unauthenticated execution of malicious code, security researchers said.
The vulnerability, tracked as CVE-2024-11972, is found in Hunk Companion, a plugin that runs on 10,000 sites that use the WordPress content management system. The vulnerability, which carries a severity rating of 9.8 out of a possible 10, was patched earlier this week. At the time this post went live on Ars, figures provided on the Hunk Companion page indicated that less than 12 percent of users had installed the patch, meaning nearly 9,000 sites could be next to be targeted.
Significant, multifaceted threat
“This vulnerability represents a significant and multifaceted threat, targeting sites that use both a ThemeHunk theme and the Hunk Companion plugin,” Daniel Rodriguez, a researcher with WordPress security firm WP Scan, wrote. “With over 10,000 active installations, this exposed thousands of websites to anonymous, unauthenticated attacks capable of severely compromising their integrity.”
Rodriquez said WP Scan discovered the vulnerability while analyzing the compromise of a customer’s site. The firm found that the initial vector was CVE-2024-11972. The exploit allowed the hackers behind the attack to cause vulnerable sites to automatically navigate to wordpress.org and download WP Query Console, a plugin that hasn’t been updated in years.
Automattic founder Matt Mullenweg called WP Engine “a cancer to WordPress.”
Automattic founder and WordPress co-author Matt Mullenweg in San Francisco on July 24, 2013.
Automattic Inc. and its founder have been sued by a WordPress hosting company that alleges an extortion scheme to extract payments for use of the trademark for the open source WordPress software. Hosting firm WP Engine sued Automattic and founder Matt Mullenweg in a complaint filed yesterday in US District Court for the Northern District of California.
“This is a case about abuse of power, extortion, and greed,” the lawsuit said. “The misconduct at issue here is all the more shocking because it occurred in an unexpected place—the WordPress open source software community built on promises of the freedom to build, run, change, and redistribute without barriers or constraints, for all.”
The lawsuit alleged that “over the last two weeks, Defendants have been carrying out a scheme to ban WPE from the WordPress community unless it agreed to pay tens of millions of dollars to Automattic for a purported trademark license that WPE does not even need.”
The complaint says that Mullenweg blocked WP Engine “from updating the WordPress plugins that it publishes through wordpress.org,” and “withdrew login credentials for individual employees at WPE, preventing them from logging into their personal accounts to access other wordpress.org resources, including the community Slack channels which are used to coordinate contributions to WordPress Core, the Trac system which allows contributors to propose work to do on WordPress, and the SubVersion system that manages code contributions.”
The lawsuit makes accusations, including libel, slander, and attempted extortion, and demands a jury trial. The lawsuit was filed along with an exhibit that shows Automattic’s demand for payment. A September 23 letter to WP Engine from Automattic’s legal team suggests “a mere 8% royalty” on WP Engine’s roughly $400 million in annual revenue, or about $32 million.
“WP Engine’s unauthorized use of our Client’s trademarks… has enabled WP Engine to unfairly compete with our Client, leading to WP Engine’s unjust enrichment,” Automattic alleged in the letter.
Mullenweg: WP Engine “a cancer to WordPress”
Mullenweg co-authored the WordPress software first released in 2003 and founded Automattic in 2005. Automattic operates the WordPress-based publishing platform WordPress.com. Meanwhile, the nonprofit WordPress Foundation, also founded by Mullenweg, says it works “to ensure free access, in perpetuity, to the software projects we support.”
Last month, Mullenweg wrote a blog post alleging that WP Engine is “a cancer to WordPress” and that it provides “something that they’ve chopped up, hacked, butchered to look like WordPress, but actually they’re giving you a cheap knock-off and charging you more for it.”
Mullenweg criticized WP Engine’s decision to disable the WordPress revision management system. WP Engine’s “branding, marketing, advertising, and entire promise to customers is that they’re giving you WordPress, but they’re not,” Mullenweg wrote. “And they’re profiting off of the confusion. WP Engine needs a trademark license to continue their business.”
In another blog post and a speech at a WordPress conference, Mullenweg alleged that WP Engine doesn’t contribute much to the open source project. He also pointed to WP Engine’s funding from private equity firm Silver Lake, writing that “Silver Lake doesn’t give a dang about your Open Source ideals. It just wants a return on capital.”
WP Engine alleges broken promises
WP Engine’s lawsuit points to promises made by Mullenweg and Automattic nearly 15 years ago. “In 2010, in response to mounting public concern, the WordPress source code and trademarks were placed into the nonprofit WordPress Foundation (which Mullenweg created), with Mullenweg and Automattic making sweeping promises of open access for all,” the lawsuit said.
Mullenweg wrote at the time that “Automattic has transferred the WordPress trademark to the WordPress Foundation, the nonprofit dedicated to promoting and ensuring access to WordPress and related open source projects in perpetuity. This means that the most central piece of WordPress’s identity, its name, is now fully independent from any company.”
WP Engine alleges that Automattic and Mullenweg did not disclose “that while they were publicly touting their purported good deed of moving this intellectual property away from a private company, and into the safe hands of a nonprofit, Defendants in fact had quietly transferred irrevocable, exclusive, royalty-free rights in the WordPress trademarks right back to Automattic that very same day in 2010. This meant that far from being ‘independent of any company’ as Defendants had promised, control over the WordPress trademarks effectively never left Automattic’s hands.”
WP Engine accuses the defendants of “misusing these trademarks for their own financial gain and to the detriment of the community members.” WP Engine said it was founded in 2010 and relied on the promises made by Automattic and Mullenweg. “WPE is a true champion of WordPress, devoting its entire business to WordPress over other similar open source platforms,” the lawsuit said.
Firm defends “fair use” of WordPress trademark
The defendants’ demand that WP Engine pay tens of millions of dollars for a trademark license “came without warning” and “gave WPE less than 48 hours to either agree to pay them off or face the consequences of being banned and publicly smeared,” according to the lawsuit. WP Engine pointed to Mullenweg’s “cancer” remark and other actions, writing:
When WPE did not capitulate, Defendants carried out their threats, unleashing a self-described “nuclear” war against WPE. That war involved defaming WPE in public presentations, directly sending disparaging and inflammatory messages into WPE customers’ software and through the Internet, threatening WPE’s CEO and one of its board members, publicly encouraging WPE’s customers to take their business to Automattic’s competing service providers (for a discounted fee, no less), and ultimately blocking WPE and its customers from accessing the wordpress.org portal and wordpress.org servers. By blocking access to wordpress.org, Defendants have prevented WPE from accessing a host of functionality typically available to the WordPress community on wordpress.org.
During calls on September 17 and 19, “Automattic CFO Mark Davies told a WPE board member that Automattic would ‘go to war’ if WPE did not agree to pay its competitor Automattic a significant percentage of WPE’s gross revenues—tens of millions of dollars—on an ongoing basis,” the lawsuit said. WP Engine says it doesn’t need a license to use the WordPress trademark “and had no reasonable expectation that Automattic had a right to demand money for use of a trademark owned by the separate nonprofit WordPress Foundation.”
“WPE’s nominative uses of those marks to refer to the open-source software platform and plugin used for its clients’ websites are fair uses under settled trademark law, and they are consistent with WordPress’ own guidelines and the practices of nearly all businesses in this space,” the lawsuit said.
Automattic alleged “widespread unlicensed use”
Exhibit A in the lawsuit includes a letter to WP Engine CEO Heather Brunner from a trademark lawyer representing Automattic and a subsidiary, WooCommerce, which makes a plugin for WordPress.
“As you know, our Client owns all intellectual property rights globally in and to the world-famous WOOCOMMERCE and WOO trademarks; and the exclusive commercial rights from the WordPress Foundation to use, enforce, and sublicense the world-famous WORDPRESS trademark, among others, and all other associated intellectual property rights,” the letter said.
The letter alleged that “your blatant and widespread unlicensed use of our Client’s trademarks has infringed our Client’s rights and confused consumers into believing, falsely, that WP Engine is authorized, endorsed, or sponsored by, or otherwise affiliated or associated with, our Client.” It also alleged that “WP Engine’s entire business model is predicated on using our Client’s trademarks… to mislead consumers into believing there is an association between WP Engine and Automattic.”
The letter threatened a lawsuit, saying that Automattic “is entitled to file civil litigation to obtain an injunction and an award of actual damages, a disgorgement of your profits, and our Client’s costs and fees.” The letter demands an accounting of WP Engine’s profits, saying that “even a mere 8% royalty on WP Engine’s $400+ million in annual revenue equates to more than $32 million in annual lost licensing revenue for our Client.”
WP Engine’s lawsuit asks the court for a “judgment declaring that Plaintiff does not infringe or dilute any enforceable, valid trademark rights owned by the Defendants.” It also seeks compensatory and punitive damages.
We contacted Automattic about the lawsuit today and will update this article if it provides a response.
Jon is a Senior IT Reporter for Ars Technica. He covers the telecom industry, Federal Communications Commission rulemakings, broadband consumer affairs, court cases, and government regulation of the tech industry.
Enlarge/ “You’ll never be bored again” is one of the more fitting slogans attached to Tumblr.
Getty Images
Once-great social media and blogging platform Tumblr has gone through a number of big changes in recent years, and another one is right around the corner. Parent company Automattic says it is migrating all Tumblr blogs—more than half a billion in number—to the WordPress back end.
In a blog post announcing the initiative this week, Automattic is careful to note that it doesn’t want anything about the front-end user experience of Tumblr to change. We love Tumblr’s streamlined posting experience and its current product direction. We’re not changing that,” a rep wrote.
In terms of user experience, the two blogging platforms have very different emphases. WordPress is meant to be powerful, customizable, and extensible to serve a variety of needs, while Tumblr is meant to streamline the experience to be something like a middle ground between operating a WordPress blog and using something like X or Threads.
The plan is to move to the WordPress back end so that Automattic can develop features that will deploy to Tumblr and WordPress blogs simultaneously. This will let Tumblr tap into the robust existing WordPress.com infrastructure and allow the open-source work happening on WordPress to more easily be tapped to improve Tumblr.
The Automattic post did not provide a timeline; it simply acknowledged that this will be “one of the largest technical migrations in Internet history.”
Automattic acquired Tumblr in a humbling fire sale of just $3 million—a far cry from the $1 billion the platform was worth to Yahoo not all that many years ago. Yahoo acquired Tumblr then to try to turn it into a Facebook competitor, but it consistently failed to make the right choices to make that happen—if it even possible.
Since the acquisition, Automattic has shuffled around employees and resources, including moving many off of Tumblr to other projects, but it says it plans to continue supporting Tumblr with new features in the future and that this migration is part of those plans.
On Tuesday, AI-powered search engine Perplexity unveiled a new revenue-sharing program for publishers, marking a significant shift in its approach to third-party content use, reports CNBC. The move comes after plagiarism allegations from major media outlets, including Forbes, Wired, and Ars parent company Condé Nast. Perplexity, valued at over $1 billion, aims to compete with search giant Google.
“To further support the vital work of media organizations and online creators, we need to ensure publishers can thrive as Perplexity grows,” writes the company in a blog post announcing the problem. “That’s why we’re excited to announce the Perplexity Publishers Program and our first batch of partners: TIME, Der Spiegel, Fortune, Entrepreneur, The Texas Tribune, and WordPress.com.”
Under the program, Perplexity will share a percentage of ad revenue with publishers when their content is cited in AI-generated answers. The revenue share applies on a per-article basis and potentially multiplies if articles from a single publisher are used in one response. Some content providers, such as WordPress.com, plan to pass some of that revenue on to content creators.
A press release from WordPress.com states that joining Perplexity’s Publishers Program allows WordPress.com content to appear in Perplexity’s “Keep Exploring” section on their Discover pages. “That means your articles will be included in their search index and your articles can be surfaced as an answer on their answer engine and Discover feed,” the blog company writes. “If your website is referenced in a Perplexity search result where the company earns advertising revenue, you’ll be eligible for revenue share.”
Enlarge/ A screenshot of the Perplexity.ai website taken on July 30, 2024.
Benj Edwards
Dmitry Shevelenko, Perplexity’s chief business officer, told CNBC that the company began discussions with publishers in January, with program details solidified in early 2024. He reported strong initial interest, with over a dozen publishers reaching out within hours of the announcement.
As part of the program, publishers will also receive access to Perplexity APIs that can be used to create custom “answer engines” and “Enterprise Pro” accounts that provide “enhanced data privacy and security capabilities” for all employees of Publishers in the program for one year.
Accusations of plagiarism
The revenue-sharing announcement follows a rocky month for the AI startup. In mid-June, Forbes reported finding its content within Perplexity’s Pages tool with minimal attribution. Pages allows Perplexity users to curate content and share it with others. Ars Technica sister publication Wired later made similar claims, also noting suspicious traffic patterns from IP addresses likely linked to Perplexity that were ignoring robots.txt exclusions. Perplexity was also found to be manipulating its crawling bots’ ID string to get around website blocks.
As part of company policy, Ars Technica parent Condé Nast disallows AI-based content scrapers, and its CEO Roger Lynch testified in the US Senate earlier this year that generative AI has been built with “stolen goods.” Condé sent a cease-and-desist letter to Perplexity earlier this month.
But publisher trouble might not be Perplexity’s only problem. In some tests of the search we performed in February, Perplexity badly confabulated certain answers, even when citations were readily available. Since our initial tests, the accuracy of Perplexity’s results seems to have improved, but providing inaccurate answers (which also plagued Google’s AI Overviews search feature) is still a potential issue.
Compared to the free tier of service, Perplexity users who pay $20 per month can access more capable LLMs such as GPT-4o and Claude 3, so the quality and accuracy of the output can vary dramatically depending on whether a user subscribes or not. The addition of citations to every Perplexity answer allows users to check accuracy—if they take the time to do it.
The move by Perplexity occurs against a backdrop of tensions between AI companies and content creators. Some media outlets, such as The New York Times, have filed lawsuits against AI vendors like OpenAI and Microsoft, alleging copyright infringement in the training of large language models. OpenAI has struck media licensing deals with many publishers as a way to secure access to high-quality training data and avoid future lawsuits.
In this case, Perplexity is not using the licensed articles and content to train AI models but is seeking legal permission to reproduce content from publishers on its website.
Hackers are assailing websites using a prominent WordPress plugin with millions of attempts to exploit a high-severity vulnerability that allows complete takeover, researchers said.
The vulnerability resides in WordPress Automatic, a plugin with more than 38,000 paying customers. Websites running the WordPress content management system use it to incorporate content from other sites. Researchers from security firm Patchstack disclosed last month that WP Automatic versions 3.92.0 and below had a vulnerability with a severity rating of 9.9 out of a possible 10. The plugin developer, ValvePress, silently published a patch, which is available in versions 3.92.1 and beyond.
Researchers have classified the flaw, tracked as CVE-2024-27956, as a SQL injection, a class of vulnerability that stems from a failure by a web application to query backend databases properly. SQL syntax uses apostrophes to indicate the beginning and end of a data string. By entering strings with specially positioned apostrophes into vulnerable website fields, attackers can execute code that performs various sensitive actions, including returning confidential data, giving administrative system privileges, or subverting how the web app works.
“This vulnerability is highly dangerous and expected to become mass exploited,” Patchstack researchers wrote on March 13.
Fellow web security firm WPScan said Thursday that it has logged more than 5.5 million attempts to exploit the vulnerability since the March 13 disclosure by Patchstack. The attempts, WPScan said, started slowly and peaked on March 31. The firm didn’t say how many of those attempts succeeded.
WPScan said that CVE-2024-27596 allows unauthenticated website visitors to create admin‑level user accounts, upload malicious files, and take full control of affected sites. The vulnerability, which resides in how the plugin handles user authentication, allows attackers to bypass the normal authentication process and inject SQL code that grants them elevated system privileges. From there, they can upload and execute malicious payloads that rename sensitive files to prevent the site owner or fellow hackers from controlling the hijacked site.
Successful attacks typically follow this process:
SQL Injection (SQLi): Attackers leverage the SQLi vulnerability in the WP‑Automatic plugin to execute unauthorized database queries.
Admin User Creation: With the ability to execute arbitrary SQL queries, attackers can create new admin‑level user accounts within WordPress.
Malware Upload: Once an admin‑level account is created, attackers can upload malicious files, typically web shells or backdoors, to the compromised website’s server.
File Renaming: Attacker may rename the vulnerable WP‑Automatic file, to ensure only he can exploit it.
WPScan researchers explained:
Once a WordPress site is compromised, attackers ensure the longevity of their access by creating backdoors and obfuscating the code. To evade detection and maintain access, attackers may also rename the vulnerable WP‑Automatic file, making it difficult for website owners or security tools to identify or block the issue. It’s worth mentioning that it may also be a way attackers find to avoid other bad actors to successfully exploit their already compromised sites. Also, since the attacker can use their acquired high privileges to install plugins and themes to the site, we noticed that, in most of the compromised sites, the bad actors installed plugins that allowed them to upload files or edit code.
The attacks began shortly after March 13, 15 days after ValvePress released version 3.92.1 without mentioning the critical patch in the release notes. ValvePress representatives didn’t immediately respond to a message seeking an explanation.
While researchers at Patchstack and WPScan are classifying CVE-2024-27956 as SQL injection, an experienced developer said his reading of the vulnerability is that it’s either improper authorization (CWE-285) or a subcategory of improper access control (CWE-284).
“According to Patchstack.com, the program is supposed to receive and execute an SQL query, but only from an authorized user,” the developer, who didn’t want to use his name, wrote in an online interview. “The vulnerability is in how it checks the user’s credentials before executing the query, allowing an attacker to bypass the authorization. SQL injection is when the attacker embeds SQL code in what was supposed to be only data, and that’s not the case here.”
Whatever the classification, the vulnerability is about as severe as it gets. Users should patch the plugin immediately. They should also carefully analyze their servers for signs of exploitation using the indicators of compromise data provided in the WPScan post linked above.
