24 Jun

You Won’t Always Know That A New Version of a WordPress Plugin Includes a Security Fix

When it comes to protecting your website against vulnerabilities in WordPress plugins our service can play an important role, but it does have its limits. One major one being that we can only include data on publicly disclosed vulnerabilities, since we wouldn’t know about others (unless we are discoverer of the vulnerability and have yet to disclose it). That is why it is important that you always keeping your plugins up to date, that way if an undisclosed vulnerability has been fixed you will be protected (you can have the updates happen automatically with our Automatic Plugin Updates plugin). Since many vulnerabilities haven’t been fixed by the time they are publicly disclosed or are being exploited before a fix is released, keeping plugins up to date by itself isn’t enough.

One bad suggestion we sometimes see related to this is people saying that you should make sure that update a plugin if the changelog mentions that a security fix, the problem with that is that we have have found is often their is no mention made we a security vulnerability. When we look at this in December of 2014, we found that 19.7 percent of our sample of updates with security fixes didn’t include any mention in the changelog that a security fix was included. That lack of mention continues, as we saw last week with a vulnerability we discovered in the plugin WooCommerce Upload My File.

Last week we found that the plugin was susceptible to a cross-site request forgery (CSRF) vulnerability that could allow the changing of settings so that an attacker could upload .php files. This type of vulnerability is one that we don’t see hackers trying to target often at this time, so the threat is somewhat limited, but since this plugin would be used on eCommerce websites vulnerabilities of any kind are of more concern.

In the version it was fixed, you wouldn’t know that a security vulnerability was fixed since the changelog just reads:

Fixed several bugs

If you were to look at the Development Log for plugin you would be equally unaware as the entry for this version reads “Updated small bugfix”.

Leave a Reply

Your email address will not be published. Required fields are marked *