You Still Won’t Always Know That a New Version of a WordPress Plugin Includes a Security Fix
When it comes to improving security, one of the problems we see is that it is possible to do things that are probably not productive, but look that way. One thing that we often think is not helpful are security companies and news organizations telling you need to update some WordPress plugin due to a security fix in the new version. That sounds like a good thing, as unless there is a bug in the new version doing that shouldn’t have a direct negative impact, but there are a couple of problems we see that come with that.
First, often times the threat posed by the vulnerability is vastly overstated, so you have some vulnerability would likely never be exploited on the average website treated as being critical. That is often done by talking up the worst case scenario and failing to mention important limitations on its exploitation. Some of this may be due to the fact that many security companies don’t actually have a good understand of what threat the vulnerabilities pose, as we often see that companies that clean up hacked websites are not determining how they got hacked (if you see someone claiming that websites are being hacked due to outdated software without pointing to a specific vulnerabilities there is a good chance they don’t know how they were hacked), so they wouldn’t have a good understanding of which ones are really a threat and which ones are not a big deal. (With our service we provide you our estimate of the likelihood of exploitation of vulnerabilities, so you have a better idea of how much of threat there is.) This also often leads to a lot comments that WordPress is insecure, despite a minor plugin vulnerability not being an indication of that.
Secondly, and we think much more importantly, is that this kind of thing gets people to lose focus from what they really should be doing, which is keeping their installed plugins up to date all of the time (if you are doing that, then there wouldn’t be a need to be told to update a specific one). The reason that is so important is that not only do a lot of the vulnerabilities that really pose a threat not get coverage, but plenty of vulnerability fixes don’t even get mentioned in the plugin’s changelog. When it comes to a lack of coverage, take for example the arbitrary file upload vulnerability we disclosed in a plugin last week, that is a type of vulnerability that is likely to be exploited, but so far we can find almost no one else covering it (we only found one personal blog with a mention of it). The same vulnerability also can be used an example of the lack of changelog mention, as these are the only entries in the version it was fixed:
- Woocommerce 3.0.4 compatibility added
- Fix – Fixed PopUp issue
Neither of those seem to relate to the vulnerability. That isn’t the only example we have run across in the last week either, take a SQL injection vulnerability in another plugin, which is much less likely to be exploited, that was disclosed on the WordPress Support Forum nearly two months ago and was fixed this week. Below are the changelog entries for the versions of the plugin released this week, can you guess which one is reference to a security fix?
1.2.2
- Update: Use regex pattern matching to ensure session IDs are identical going in/out of the DB to account for encoding differences
1.2.1
- Update: Additional filters for the
setcookie
parameters- Update: Expose the Session ID publicly
- Fix: Better handling for malformed or broken session names
1.2.0
- Update: Enhanced plugin organization
- Update: Added WP_CLI support for session management
- Update: Add Composer definitions
- Fix: Break up the deletion of old sessions so queries don’t time out under load
As best we can tell it might be referred to with this one, “Fix: Better handling for malformed or broken session names”, but even we are not sure (from the testing we did we confirm that it was fixed in that version 1.2.1 though).
For a lot of people their best option to keep their plugins is up to date is to allow WordPress to automatically update them. That capability has been built-in to WordPress since version 3.7, but it isn’t enabled by default, like it is for minor WordPress updates. There a number options available to enable it, including our Automatic Plugin Updates plugin, which also allows you to exclude certain plugins from automatic updates and get sent an email when an update happens.