When it comes to the security of WordPress plugins, the people behind WordPress’ way of handling things is to provide as little information as possible (including not notifying developers that their plugins have publicly disclosed vulnerabilities that they are aware of), which often leaves users of plugins in a bad position. Case in point is a topic that popped up in the monitoring we do of the WordPress Support Forum to keep track of vulnerabilities in WordPress plugins, which reads:
Does anybody know what the security issue in this plugin that has led to it being closed is?
In the absence of any information, it’s hard to know what to do. (Full site compromise possible by anyone? Or, minor self-XSS possible if you stand on your left leg on the Statue of Liberty during a blue moon?)
That is a great point, unless you are the people on the WordPress side of things. As we have mentioned in the past strangely the people on the WordPress side of things don’t seem to understand how the Internet works, so in this case it is easy enough to find what the cause of this was and see that it is a minor issue (though not the only minor security issue in the plugin).
The plugin referenced there is Testimonial Slider, which has 10,000+ active installations according to wordpress.org.
A quick search pulled up that that Vinnie Vanhoecke had reported to the plugin team that there is cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in the plugin. That really isn’t a major issue since a CSRF vulnerability, which causes someone else to take an action they didn’t intend to, isn’t something we see attempts to exploit on the average website. It could be used in a targeted attack, though.
The person asking about this plugin is the developer of a plugin with 1+ million active installations, according to wordpress.org, and a core WordPress contributor, so someone that seems like they have a good grasp of what would be the possible downside of discussing this. We would let that person know what is going on, but the Support Forum moderators would delete it and maybe throw a fit (we wish that were an exaggeration) as well.
This is the kind of thing where using our service can come in handy, since once we knew that there might be an issue we could quickly figure out what was going on, so if a customer of ours had a question like that they could get it quickly answered. By now any of customers using the plugin have already been notified if they are using a vulnerable version of the plugin.
In a follow up post we will disclose another minor vulnerability we found while doing a bit of checking over the plugin.