Recently we mentioned we are long overdue reviewing the security of the WordPress plugins we use, so here is the start of that. We start with a plugin that we didn’t expect to have any issues, but considering how many websites have started using it recently as well, it seems like a good place to start. That plugin being the Classic Editor, which “restores the previous WordPress editor and the Edit Post screen and makes it possible to use the plugins that extend it, add old-style meta boxes, or otherwise depend on the previous editor” and now has 600,000+ installations according to wordpress.org.
If you want a security review of plugins you use, when you become a paying customer of our service you can start suggesting and voting on plugins to get security reviews from us. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service. Through the end of the year you can get a free security review of a plugin or theme when you protect 100 websites with our service.
The review was done on version 0.5 of Classic Editor. We checked for the following issues during this review:
- Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
- Deserialization of untrusted data
- Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
- Persistent cross-site scripting (XSS) vulnerabilities in publicly accessible portions of the plugin
- Cross-site request forgery (CSRF) vulnerabilities in the admin portion of the plugin
SQL injection vulnerabilities (the code that handles requests to the database)
Reflected cross-site scripting (XSS) vulnerabilities
- Security issues with functions accessible through any of the plugin’s shortcodes
- Security issues with functions accessible through the admin_action action
- Security issues with functions accessible through the admin_init action
- Security issues with import/export functionality
- Security issues with usage of is_admin()
- Security issues with usage of add_option(), delete_option(), and update_option()
- Host header injection vulnerabilities
Lack of protection against unintended direct access of PHP files
- Insecure and unwarranted requests to third-party websites
- Any additional possible issues identified by our Plugin Security Checker
We found no issues with any of the checked items in version 0.5 of Classic Editor.