09 May

A Reminder That The Process for Reporting WordPress Plugin Vulnerabilities Needs Improvement

A week ago we posted about the need for WordPress to make it easier to properly report vulnerabilities in plugins and now we have another good example of where the current process is lacking.

Yesterday on the wordpress.org support forum someone posted about a serious security vulnerability in the Profile Builder plugin, which would allow users that are able to get a shortcode into a post the ability create Administrators accounts on website when the plugin is installed and the website also allows user registration.

Ideally this would have been privately disclosed since it can easily be exploited if the conditions are met. This is the type of situation where our suggestion to add information on how to properly report a security vulnerability to the tips section above the form to create to a new support post for a plugin seems like it could have prevented a premature disclosure.

After coming across the report we added the vulnerability to our data set, so if you are using our service you will have already been notified if you are impacted. We also notified the developer that the vulnerability had been disclosed. By this morning the thread disclosing the vulnerability had been deleted, but the plugin has yet to be fixed as of now.

Considering this isn’t the first time a post disclosing a vulnerability has been deleted you would think somebody involved in this would have at some point concluded that the way things are being done now isn’t working.

Deleting the posts instead of making sure the vulnerability has been fixed also doesn’t seem to be very effective, since once something is on the Internet its out there, or in this case it is still there because the poster also included all of the same details in another thread on wordpress.org, which as of now, has not been deleted.