01 Feb

Closures of Very Popular WordPress Plugins, Week of February 1

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week six of these plugins were closed and two of them has been reopened.

Export Users to CSV

Export Users to CSV, which has 30,000+ active installations, was closed on Monday. No reason has been given for the closure. There is a publicly disclosed vulnerability in the latest version, thought that was disclosed back in August (we warned our customers of that at the time), so either the WordPress team is way behind, which is entirely possible considering that we were the only ones that were actually making sure that known vulnerable plugins didn’t remain in the Plugin Directory until we suspended doing that, or there is some other reason for the removal. In looking over the plugin we didn’t find any obvious additional security issues.

Slider by 10Web

Slider by 10Web, which has 70,000+ active installations, was closed on Wednesday. That was due to a vulnerability we disclosed the day before. The plugin was reopened on Friday.

WP Instagram Widget

WP Instagram Widget, which has 200,000+ active installations, was closed on Wednesday.  The developer has responded to questions about the closure with this:

It was removed without my consent unfortunately and it will not be re-instated to the .org repository due to the approach the plugin uses for obtaining data.

In looking over the plugin we didn’t find any obvious security issues.

Sidekick

Sidekick, which has 80,000+ active installations, was closed on Wednesday.  No reason has been given for the closure. In looking over the plugin we didn’t find any obvious security issues.

Meta Box

Meta Box, which has 300,000+ active installations, was closed on Thursday. That was due to a vulnerability we disclosed the same day.  The plugin was reopened on Friday. In doing the standard security checks we do with these closed plugins we found that there is an additional vulnerability in the plugin.

Instagram Slider Widget

Instagram Slider Widget, which has 100,000+ active installations, was closed on Thursday.  The developer has written that they were told that it was removed due to:

Your plugin is scraping Instagram for content.

In looking over the plugin we didn’t find any obvious security issues.

Leave a Reply

Your email address will not be published. Required fields are marked *