When it comes to cyber security there is a lot of bad information out there and when it comes to information about WordPress security, it is at least as bad, if not worse than average for cyber security. One piece of bad information we see when it comes to security of WordPress plugins is the assumption that vulnerabilities in WordPress plugins are promptly fixed, so as long as you keep your plugins up to date you are okay. The reality is that while many are fixed promptly, there are plenty more that don’t get fixed promptly or never get fixed.
To you give some idea of what that means in the real world we went back through the weekly posts we put out detailing what have been doing and adding to the service during each week and found all of the plugins with vulnerabilities that are still removed from the Plugin Directory due to the security vulnerabilities (plugins are removed from the Plugin Directory after the people running it are notified that a plugin has a security issue in the current version of it, with many of those notifications coming from us).
Below you can see all of those plugins and their vulnerabilities. What you can see is that not only are there quite a few, but also there are many vulnerabilities that are rather serious an many that involve plugins used by tens of thousands of websites (and in one case hundreds of thousands). We have excluded last week from the listing since there were many vulnerabilities that developer would not have even had a week to fix yet, due to the people running the Plugin Directory apparently dropping the ball in a major way.
Week of 3/4/2016
- Remote code execution vulnerability in Social Media Tab, 700+ active installs
- SQL injection vulnerability and information disclosure vulnerability in WP Ultimate Exporter, 30+ active installs
- Cross-site request forgery (CSRF) vulnerability in More Fields, 20,000+ active installs
Week of 3/18/2016
- Remote page inclusion vulnerability in Site Import, 800+ active installs
- Persistent cross-site scripting (XSS) vulnerability in Resume Submissions & Job Postings, 3,000+ active installs
Week of 3/25/2016
- Arbitrary file viewing vulnerability in Import CSV, 100+ active installs
- Local file inclusion (LFI) vulnerability in A/B Test for WordPress
- Arbitrary file viewing vulnerability in HB AUDIO GALLERY LITE, 400+ active installs
- Local file inclusion (LFI) vulnerability in Dharma booking, less than 10 active installs
- Reflected cross-site scripting (XSS) vulnerability and SQL injection vulnerability in Facebook with login
Week of 4/1/2016
- Remote code execution (RCE) vulnerability in Enable Google Analytics, 1,000+ active installs
- Remote code execution (RCE) vulnerability in Breadcrumbs EZ, 10+ active installs
- Arbitrary file viewing vulnerability in Photocart Link, less than 10 active installs
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Claptastic clap! Button, less than 10 active installs
- SQL injection vulnerability in SEO Redirection Plugin, 60,000+ active installs
Week of 4/8/2016
- Reflected cross-site scripting (XSS) vulnerability in Google Language Translator, 90,000+ active installs
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Lightbox Plus Colorbox, 300,000+ active installs (this should hopefully be fixed soon)
- Arbitrary file viewing vulnerability in Advanced video embed, 20+ active installs
How We Help You Deal With Unfixed Vulnerabilities
For years we have been pushing for WordPress to start providing notification when vulnerable plugins that have been removed from the Plugin Directory are being used, but despite someone from the Plugin Directory saying that would be happening three years ago, it sill hasn’t. In the meantime we provide several things that help you to deal with this type of situation:
The first is our service (shameless plug), which will send an email alert if one of your installed plugins has a publicly disclosed vulnerability in the version in use (you can also see what vulnerabilities existed in other versions in WordPress). And probably more importantly if the vulnerability hasn’t been fixed yet, you can always get in touch with us to help you decide on what is the best way to handle this problem. In some cases a workaround can easily be crafted to hold you over until a fix comes out or you move to another plugin. In other cases the plugin may need to be removed, pending a fix.
The second is our plugin No Longer in Directory plugin, which as you might guess from the name will identity if any of your installed plugins have been removed from the Plugin Directory (whether for a security issue or some other reason). For some plugins that have been removed from the Plugin Directory for security issues, it will also provide a link to the details of that issue.
The third is our Chrome web browser extension, which adds a security notice to the URLs on the Plugin Directory where a plugin used to be, before it was removed for security issue, so that you know what happened to the plugin.