Recently we have been finding that someone on the WordPress team has been deleting and editing some of our post on their support forum and because they don’t want others to know that, in one instance they even deleted someone else’s post that simply thanked us for one of our posts. While it has been rather troubling in general, one other instance that stuck out to us in the most recent purge, was a case where they removed a single sentence from a post, that sentence was “(including when the people running the Plugin Directory have failed to notice that)”, which was in reference to the fact that we often find that vulnerabilities that are claimed to have been fixed have not actually been fixed. The linked post, from the end of March, discussed the fact that plugins that had been removed from the Plugin Directory due to security issues were returning without the vulnerabilities actually being fixed.
While it would be close to impossible to insure that all of the plugins in the Plugin Directory are free of vulnerabilities, making sure that plugins that you are aware have had a vulnerability are not restored before they are actually fixed shouldn’t be, since it could be prevented by simply testing out to make sure the vulnerability has been fixed before restoring the plugin.
Unfortunately since March the issue has continued to happen. At the end of June we discussed another example involving a situation where we spotted what looked to be a hacker probing for the usage of the BePro Listings plugin (likely due to them being aware of a vulnerability in the plugin and looking for websites to exploit it on) and we then identified a vulnerability that hackers were likely to exploit in the plugin (as well as another fairly serious vulnerability). After contacting the developer and getting no response we notified the Plugin Directory and the plugin was removed. The plugin subsequently returned to the Plugin Directory without actually being fixed. It was only after we got in touch with the developer again that we were able, after several back and forths, to get them to finally fix it.
Just this week we spotted another instance of this happening, which also highlights the difficulty that there can sometimes be in getting developers to fix vulnerabilities in their plugins. This time it involves a persistent cross-site scripting (XSS) vulnerability that was publicly disclosed back in December of 2014 in the plugin SEO Redirection, a plugin with 60,000+ active install installs according to wordpress.org. The advisory seems to indicate that the discoverer had notified the developer at the time. A support forum post from over a year ago also notified the developer, but at the time the developer claimed the vulnerability didn’t exist:
I tested the plugin and displayed to me the same message, but there is no XSS in the plugin, ignore this message, I will try to change the parameters name or the tag name to stop this message from being appeared.
We then ran across the advisory earlier this year and added the vulnerability to our data set. At the time the plugin was removed from the Plugin Directory, due to a SQL injection vulnerability that was in the plugin at the time. After the plugin came back in to the directory without the persistent XSS vulnerability fixed we notified the Plugin Directory of its existence and the plugin was removed a week later at the end of June. Earlier this week the plugin returned to the Plugin Directory, at that point tested it out again to make sure the vulnerability was gone and found that it wasn’t. There was a security related change in version 3.7, but it does not look like it was attempt to fix this and we can’t even tell if the change was related to a vulnerability.
It seems to us it would be a better use of the WordPress’ team members time to make sure that vulnerabilities in plugins are being fixed before restoring them to the Plugin Directory instead of trying to cover up the fact that they are not doing this. Until they get more serious about security you can protect yourself by using our service, so that you get alerted if a vulnerability is in the plugins you use, even in cases where the WordPress team misses them still existing.