06 Jun

Not Every Security Update of a WordPress Plugin is Actually a Security Update

One thing that we emphasis when it comes to protecting websites against vulnerabilities in WordPress plugins is to keep them up to date at all times. Trying to guess which versions are security updates by following some security company’s blog or monitoring the change logs and the updating only those plugins simply won’t work. For example, when we looked at the relevant changelog entries for vulnerabilities we had in our data set two and half years ago we found that 20 percent of the time there was no indication that a security vulnerability had been fixed.

But as something we just ran across reminded us, it turns out that you can also have a plugin’s changelog indicate that a new version has a security fix that it doesn’t. Sometimes that is due to a plugin’s developer believing a false claim that a plugin had a vulnerability (not surprisingly considering their track record, the person behind that false claim became an employee of Wordfence shortly after that). In that situation at least there is some change being made that is intended to be a security fix. That hasn’t the case with the plugin oAuth twitter sidebar widget.

One of the ways we keep track of vulnerabilities that have been in WordPress plugins is to monitor for indications that a security update has been released and determine if there has been a vulnerability fixed. Through that we came across the changelog entry for version 1.6 of the plugin oAuth twitter sidebar widget, which is “Security updates for latest WordPress version.” Looking at the changes made in that version we didn’t see any security updates, the only change made was to change the description of the plugin. Our first thought was that maybe the developer had forgotten to include the security fix and we should let them know about the oversight, but then looking over previous changes we found that this wasn’t the first time this had happened. With version 1.4, the changelog entry was “Security updates.”, but the only change made was to remove a “?” from a commented line of code, which would not have any security impact.

Leave a Reply

Your email address will not be published. Required fields are marked *