06 Nov

It’s a Good Idea to Directly Contact the Developers of Vulnerable WordPress Plugins

If WordPress eventually has leadership that doesn’t treat the real security issues with WordPress plugins as being “hypothetical” as they currently do, there is a lot that could be done to improve the situation. One area would be to look at ways to make it easier to inform developers of security issues in their plugins that are hosted on the wordpress.org Plugin Directory. As something that happened on Friday shows, getting directly in touch with the developer can make a big difference.

On Friday Lenon Leite disclosed an unfixed authenticated SQL injection vulnerability in the plugin JTRT Responsive Tables. Prior to doing that, he had left a message on the wordpress.org Support Forum related to that¬†about 7 weeks before and he had also submitted a pull request on the plugin’s GitHub page with a fix for it¬†(using a prepared statement for the related SQL statement would also be a good idea).

After confirming that the vulnerability did indeed exist and adding it to our service’s data set, we went to see if we could find a direct contact for the developer. We found that their email address was included on their GitHub page. Less than four hours after we had contacted them to let them know about the disclosure and available fix, they responded that they had released an update for the plugin (which incorporated Lenon Leite’s fix).

That is far from the only instance where we have been able to get a disclosed vulnerability fixed by simply contacting the developer. That doesn’t always work though and it currently means that there are plugins with over 1.3 million active installations that have known vulnerabilities in the current version that remain in the wordpress.org Plugin Directory. That could change if the people behind WordPress finally got an interest in improving their poor security handling, but in the meantime if you start using our service you would get notified if you were using any of those plugins and we could then help you with determining what is the best option to protect yourself from that vulnerability (often we can provide a workaround until the plugin is hopefully eventually properly fixed).