When it comes to highlighting the poor state of security with plugins on the WordPress Plugin Directory there are a lot of things we could point to, like the fact that we recently spotted a really easy to find vulnerability in one the hundred most popular plugins, or something like what we ran across the other day. We happened upon the Plugin Directory page for the http:BL WordPress Plugin, while looking into something unrelated to the security of WordPress plugins. On the description page we noticed this message:
This plugin is in the process of being refreshed. Compatibility with current versions of WordPress is unknown. Versions prior to 2.0 should be used only with extreme caution. There are known security issues and vulnerabilities.
That would be useful information if people could upgrade to at least 2.0, but they can’t since the current version of the plugin is version 1.9.1:
Looking at the development log shows that message was added on July 13, 2015, about nine months ago.
We did a quick check and found a relatively minor security issue, a cross-site request forgery (CSRF)/ cross-site scripting (XSS) vulnerability on the plugin’s admin page. There might be other more serious issues as well.
We have notified the people running the Plugin Directory about the security issue we found and about the notice on the description page.