Most days if we have to review any new reports of vulnerabilities in WordPress plugins for our service, its one or two reports. Early this week a set of what turned out to be 25 reports of vulnerabilities (in 22 plugins) were released at once. That meant a lot of work for us, but more importantly it raised more concern about how the people running the Plugin Directory are handling reports of security vulnerabilities in WordPress plugins. In the message put out with the initial release of these, the discoverer noted that “[They] notified WordPress back in February of my research.” (based on the advisories the specific date was February 9). We can’t confirm that ourselves, but if true then we can say with high certainty that no action was taken by them before the public release.
While reviewing the vulnerable plugins we found that two had already been fixed, but only since the public advisories were released. For the plugins that had been updated in recent years and that we could find a contact for the developer, we have now notified them of the issues in their plugins. In several cases the plugins have now been updated, so it seems highly unlikely they were not notified before. For the other plugins we have notified the Plugin Directory of the issues on an individual basis and those plugin have started to be removed until the vulnerabilities are fixed (if that ever occurs). The fact that they are now being removed seems to be another confirmation that nothing was done before.
If you are using our service then you will have received notification if you are using any of the vulnerable plugins by now.
We would be happy to assist the Plugin Directory in the future handling this type of situation if they don’t have the manpower to do it, seeing as we already have to do the same amount of work if we become aware of the vulnerabilities this way instead.
Unfortunately this isn’t the first time we have seen apparent problems with how the Plugin Directory handles security issues recently, we had a post two weeks ago about a couple of cases where plugins with reported vulnerabilities were returned to directory despite the vulnerabilities not being fixed. Since then we ran into another case of that happening.
So that we don’t cause any over hyped headlines over this, it is worth noting that all of the plugins contained reflected cross-site scripting (XSS) vulnerabilities. That is type of vulnerability that isn’t often exploited and due to XSS filtering in all major web browsers other than Firefox, which prevents most attempts exploit this type of vulnerability, the impact is rather limited. Most of the plugins also were not widely used and have not been updated in years.
But it also worth pointing out that there are probably plenty more plugins that also contain this type of vulnerability, seeing as we recently found one in one of the 100 most popular plugins (with 400,00+ installs) that had been in the plugin for nearly four years.