30 Nov

Closures of Very Popular WordPress Plugins, Week of November 30

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week three of those plugins were closed and then reopened. One of three was closed due to a vulnerability and another was closed due the security of the plugin, though there doesn’t appear to be any vulnerabilities related to that. That two thirds of those were for security issues is out of line with a broader claim made just today by a member of the team that handles the plugin that claimed that “most of the time when a plugin is delisted, it is not for a security issue.”.

Google Maps Widget

Google Maps Widget, which has 100,000+ active installations according to wordpress.org, was closed on Monday. At which point we already were warning our customers about a vulnerability in the current version, since we were the ones that discovered it.

The plugin returned on Tuesday.

Ditty News Ticker

Ditty News Ticker, which as 40,000+ installations, was closed on Tuesday. The developer stated the following was the reason for the closure:

Someone reported a minor potential security issue with Ditty News Tickers.

Looking at the original changes made in response to that we didn’t see anything that looks like a vulnerability that was being fixed. There was sanitization done on user input using esc_html(), but it doesn’t look like any of that was then being used in way where that would have mattered. For example, one of the changes involved adding escaping the first line below:

$page = isset( $_GET['tickpage'] ) ? esc_html($_GET['tickpage']) : 1;
$offset = ($page-1) * $_mtphr_dnt_list_tick_count;

Any malicious JavaScript would get lost when the second line is run. Though the sanitization there isn’t doesn’t look correct since the value looks is intended to be an integer. We contacted the developer and let them know about that and additional changes were made.

The plugin was reopened on Wednesday.

Cookie Notice

Cookie Notice (Cookie Notice for GDPR), which has 900,000+ installations, was closed on Thursday.

We looked over the plugin on Thursday and there were not any obvious security issues that we could spot.

On Friday morning the developer explained the reason for the closure:

Wanted to inform all of you that the reason for closing the plugin was NOT a security issue.

The problem reported by the Plugin Review Team is as follows:

“Your plugin claims 100% GDPR Compliance.

Before that happened you had one the moderators of the WordPress Support Forum, Jan Dembowski, as usual acting inappropriately in a topic about the closure. By the time we ran across that thread apparently a number of replies after Jan Dembowski’s had been deleted based on the next reply at that point:

And why are all the other answers from other people here deleted?
Thats not serious. If the plugin has a security hole it would just be fair to inform the users, otherwise their systems are at risk. Thats not funny to deal in this manner.

The next response tried to explain to Jan Dembowski why their handling of this is less than optimal:

When a plugin is closed it could be for a variety of reasons. Those reasons are not disclosed or discussed as it could be a security issue or it could be a plugins guidelines issue.

Well, that is the reason because people are ASKING. Because there could be many reasons. If you ran into this issue again and again. You need to change the communication about this. And just deleting threads is not a great answer to those communication problems.

Please be patient, if the author wishes to reply then I am sure they will.

Well, this is easy to say – if you know what is going on. But there are more than 900k users that DON’T KNOW what is going on. And we don’t know WHEN or IF the plugin will be returning into repository. So maybe you can understand why there are users that are concerned and expect the worst (a big security issue)…

Instead them being willing to have a productive discussion they closed the topic and wrote in part:

OK, sniping at other moderators isn’t a good idea. I’ve archived that reply and flagged that account. You know who you are.

We’ve gone past a productive conversation here.

You also had another moderator, Andrew Nevins, not understanding why what is going on needs be handled differently, writing this:

Guys please calm down. As it is, we don’t disclose it before the resolution of those issues. If this is too uncertain then I recommend uninstalling the plugin from your installations.

To make things confusing for anyone trying to listen to the moderators, in another thread about the closure you had another moderator write this:

Taking pre-emptive measures like removing the plugin just because it was delisted is never really necessary.

Considering what the issue is, telling people what that was would have had no negative consequence, beyond possible complaints about closing it for such a minor issue. Unfortunately the moderators have a complete inability to operate in adult professional manner (if looked at Jan Dembowski’s Twitter account you probably wouldn’t know they are an adult at all) and they have unfettered ability to operate inappropriately because there apparently is no one else that is able to act like an adult on the WordPress side of things.

The plugin was reopened later on Friday.