26 Jul

WordPress Plugin Directory’s Failure to Enforce Developer Guidelines Puts Websites At Risk

One of the issues we sometimes spot when reviewing reports of vulnerabilities in WordPress plugins is that the vulnerability has been fixed but the version number of the plugin has not been increased. That means that people downloading the plugin at that point will be secured against the vulnerability, but anyone who already had the plugin installed will still be vulnerable since there is no new version for them to be prompted to up date to. While it easy thing to resolve we have found that sometimes even after contacting the developers they won’t bump the version number. Why that is, is a mystery to us.

Not only is this a security issue, it also violates the Developer Guidelines of the Plugin Directory, specifically guideline 15:

All code changes to a plugin that has a Stable Tag of “trunk” must result in the version number being upgraded. For the trunk and tags method, trunk can be continually updated without version number changes, while tags should generally not be updated ever past the initial tagging unless the readme is being updated with regards to supporting the newest version of WordPress.

While they are referred to as guidelines, as you can see the language reads more like a rule.

A couple months ago we were reviewing a report of a vulnerability in the plugin wordpress responsive thumbnail slider. The report turned out to be false, but while reviewing that the version number of the plugin was at 1.0, despite numerous changes having been made to it over several years. It could have been that they started at a version number below 1.0 and then eventually got to that version, so we went and checked the first release and found that the version number was already 1.0 in that release. We then looked at some of the other plugins from the same developer and found that many of them were not having their version number increased with new releases. We also noticed they had actually lowered the version number of one of the plugins recently, so it wasn’t an issue that they didn’t know how to change the version number.

It would be one thing if the changes made without changing the version number were cosmetic, but in a quick check we found that at least three of the plugins with thousands of users each, have security related items listed in a log message and are still at version 1.0:

After noticing that we created a support thread on one of the plugins letting them know that they needed to increase the version number, in case they were not aware of that. After a month the version numbers had not been changed and having received no response in that thread, we contacted the Plugin Directory to let them know about this. Part of their response was that “They don’t HAVE to, but they’re stupid not to…”, which doesn’t match with the Developer Guidelines. We replied noting that the guidelines said that they do have to, but we didn’t get a response back. Now a month on from that, the plugins have still not had their version numbers increased, so probably thousands of website are still using versions of those plugins prior to the security releases and remain vulnerable.

The vulnerabilities that we could tell were fixed in the aforementioned plugins, don’t look like ones likely to be exploited, so this isn’t likely to lead to websites being hacked, but this still isn’t an acceptable situation.