WordPress Team Stops Warning To Developer of Vulnerability in Plugin While Probing For Usage of the Plugin Has Already Begun
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up and only trying to notify the developer through the WordPress Support Forum. That creates more of a problem if the vulnerabilities are likely to be exploited, like the arbitrary file viewing vulnerability we disclosed yesterday in the plugin WebP Express is. Thankfully with that type of vulnerability it usually doesn’t lead to websites being hacked. You would think that someone on the WordPress side of things might step in to make sure the moderators behavior is cleaned up so that these full disclosures can end, or barring that, make sure to keep on top of these disclosures to avoid those causing major issues. That doesn’t appear to be the case.
While our message to the developer on the Support Forum to let them know of the issue right after we disclosed it was blocked from being shown to them, that not at all surprisingly, unless you are the WordPress team, hasn’t stopped hackers from becoming aware of it already. Earlier today we had a couple of requests that look to be probing for usage of the plugin by way of a request for a CSS file from it, /wp-content/plugins/webp-express/lib/options/css/webp-express-options-page.css. Those came from IP addresses in China that appear to belong to Alibaba.
In the past with a vulnerability where it looks like it was being exploited we warned people that are not even customers through the free data that comes with the companion plugin for the service, but WordPress closed that on the Plugin Directory, so they are stopping people from getting a free and easy option to warn them about the most vulnerable plugins. So unfortunately if you want to be keeping abreast if plugins you are using have serious vulnerabilities, at this time our service is the only real option, as other data sources and other security companies are way behind in warning about vulnerable plugins (WordPress refuses to provide any warning).
If you want to get ahead of security issues in WordPress plugins you use then our Plugin Security Checker is good place to start since it can alert you if plugins you use contain similar code that could contain the same vulnerability (and if those plugins possibly contain a lot of other serious vulnerabilities). The tool is continually being updated, so these days checking your plugins frequently could lead to warning about an issue it didn’t before (the check that identified the possibility of this vulnerability was only added on Monday afternoon). From there if you are a paying customer of our service you can suggest/vote for it to receive a security review that will check over the possible issue or you can order the same type of review separately.