With our service you get alerted if any of the WordPress plugins you have installed have a vulnerability in the installed version. You can also see what vulnerabilities they have had in other versions, which is something you might use to determine if you should continue you using it. The problem with trying to do that is that isn’t always easy. If you are not dealing with this type of thing on a regular basis there is good chance you wouldn’t have the knowledge as to what security issues are of little concern and what ones are a major concern going forward. You also would have dig in to see if the developer has a pattern of not responding in a timely fashion when a vulnerability is discovered, which can have a significant impact on whether the vulnerability will get exploited. Since we already come in contact with that type of information, we thought it would be useful to start using the knowledge we are collecting to make it easier to find out if security practices of plugin developers are lacking by putting out advisories for developers that have serious issues.
The idea for this also came up because unfortunately we are seeing developers who are doing a really bad job at making sure their plugins are secure. The first advisories we released involves a company that has not been taking basic security measures, had a really serious vulnerability in one their plugins, doesn’t respond in a timely manner when contacted about security issues, and takes weeks to fix them. The subject of the second one has repeatedly only fixed part of the security issues reported to them.
You can view all of our advisories here and follow the RSS feed of them here. Having to check our website to see if a plugin developer is the subject of a security advisory obviously isn’t very convenient, so that is why we have rolled out a couple of updates to our software to allow those notices to be seamlessly shown when you are looking at new plugins:
Advisories in WordPress
Today we released a new version of the Plugin Vulnerabilities plugin that adds a warning message with a link to these advisories to the details page of plugins in the Add New plugins section of WordPress:
For already install plugins you can click the “View details” link on the Installed Plugins page to see if there is an advisory as well.
This feature is built in to the plugin, so it works even if you haven’t signed up for our service (though you really should do that).
Advisories on WordPress.org
But what about if you are taking a look at plugins on the Plugin Directory on WordPress.org? If you are doing that in the Chrome web browser you are in luck. We also have released an update to our Plugin Vulnerabilities extension that adds the advisories to the website:
The extension also adds notices to the URL of plugins that have been removed from the Plugin Directory due to security issues:
If we see increased interest in the extension we plan to release versions for other web browser, so if you want it for ones of those, please let us know which one in the comments so that we can properly prioritize the order of which browsers to bring it to in the future.