In monitoring vulnerabilities in WordPress plugins one problem that we have noticed, which if fixed could improve the security of plugin, is the difficulty the public has in knowing where to report a security issue in a plugin on the Plugin Directory.
To show that this is an issue, here a couple of examples we ran across recently showing that people that have discovered vulnerabilities have not found the correct place to report them:
Back in February someone noticed several WordPress plugins that included malicious code in them which would lead to websites that had them installed getting hacked. That obviously is something that should be handled by the Plugin Directory right away. The discoverer then created a thread on the WordPress support forum How to report malware in plugins?, which not surprisingly is them asking how you would report that. A forum moderator then responded saying:
You will have to report it to the plugins team, just as you have done previously.
So for the people on the WordPress side it obvious how to report things, but clearly it isn’t for others as the follow up from the discover:
I have not been able to find where to report it to the plugins team. All I have been able to do so far is rate it a 1 star, and review it descriptively on the plugin’s page.
Another example involves a less serious issue, a reflected cross-site scripting (XSS) vulnerability, that we had noticed in the Google Language Translator plugin (a plugin that has 90,000+ active installs). We reported the vulnerability to the developer on March 28 and a week later after getting no response we notified the Plugin Directory of the issue. Once they were notified the plugin was removed pending a fix. That fix happened two weeks later and the plugin has returned to the Plugin Directory. At that point we noticed that independently of our discovery, the same vulnerability had been reported in the Plugin Directory support forum for the plugin back on January 26. Based on the response time after our reporting the same issue, the vulnerability could have been fixed long before we ran across it if it had gotten reported to right place.
How To Make It Easier To Report A Vulnerability?
So there clearly is need to make it easier for people to find where to a report a vulnerability, but that still leaves how to accomplish that.
One possibility might be to do something like Chrome Web Store, which provides a link a Report Abuse link on the main page of items on it:
Another possibility would be to add a link to the documentation on how to report a vulnerability to the tips that are show above the form to start a new forum topic for a plugin:
Got another idea? We would love to hear it.