27 Sep

Another Good Example of Why Releasing Security Updates Separate From Major Plugin Changes Is a Good Idea

WordPress gets a lot of criticism when it comes to security, with most of it being unwarranted (possibly making it harder the people behind it to realize when the criticism is warranted and a change really is needed). In reality they do a lot of things of good things and have for a long time. One element they have long done is to not push out security updates as part of major releases. In the past they often would put out new minor releases with security updates ahead of a major release and more recently they have been continuing to put out security updates for older versions going back to WordPress 3.7 (that version introduced automatic background updates). Not everybody else does that and it can lead to bad situations like the current with the W3 Total Cache plugin.

Last week a reflected cross-site scripting (XSS) vulnerability was disclosed in the plugin. Contrary to how the developer of a competing plugin tried to portray it, the vulnerability was not a “high risk”.

The vulnerability would have been easy to fix, so a fix should have been quickly released. Instead it took about five days for that happen. Instead of releasing the fix in its own new version or just with other minor changes, the fix was included in a major release, 0.9.5. One that doesn’t sound like was properly tested out before being released, when you consider part of the developer’s announcement of the new version:

This release has some cosmetic bugs in the latest version of WordPress, but our test suite shows that core functionality is working as intended. Having said that, I’m sure there are other bugs and bumps in the upgrade process – we’d love to learn about those, so we can push a follow-up release. Thanks in advance for reporting any issues you find. Hopefully, you find them in a staging area and not in your production site.

That sounds like a part of a statement that would be included with pre-release test version, not a production release. Considering that, it might not be to surprising that support forum for the plugin is currently filled with threads about serious problems, included broken websites, with the release and users are currently voting the release to be broken:


The lack of a separate release for the security fix leads users to have a choice to leave their website vulnerable, apply a workaround, or take a chance by upgrading to a version that may not work.