10 Nov

Checking For Outdated Third-Party Libraries Is Hard When Even a Security Library Doesn’t Include a Version Number

We have been looking over the implications of adding a check for usage of the function create_function() to our security checker for WordPress plugins. That function has some security risk (though we can’t recall it being part of any disclosed vulnerabilities in WordPress plugins), it is being deprecated in PHP 7.2, and the PHP documentation for it suggest that “Relying on this function is highly discouraged.”.

In looking in to whether it would make sense to add a check for usage of create_function() we found it being included (though possibly not being used) in 19 of the 100 most popular plugins in the Plugin Directory. In a couple of the plugins, it is located in files that are part of the third-party library phpseclib.

Upon seeing that we started thinking about adding checking for outdated or maybe just known insecure versions of third-party libraries to the plugin checker. What we found with that library though is that it doesn’t include its version number anywhere in code. As you can probably guess from the name, the library is security related, as it provides PHP implementation of things used for secure communication. If that type of library doesn’t provide that, it isn’t all that surprising that others wouldn’t either, even though that has a pretty obvious security benefit.

Even without version numbers it can be possible to check other content in a library to determine the version in us. If you are aware of any library it would be a good idea to check for being outdated or insecure in WordPress plugins, please leave a comment or contact us.