While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.
This week four of those plugins were closed and two have yet to have been reopened.
WooCommerce Checkout Manager
WooCommerce Checkout Manager, which has 60,000+ installs, was closed on Friday of last week. That was closed due to an arbitrary file upload vulnerability that we had discovered and disclosed on Tuesday of last week.
The plugin was reopened on Sunday.
Facebook Like Box
Facebook Like Box, which has 30,000+ installs, was closed on Sunday. No explanation has been given for the closure. In a quick check we didn’t see any obvious security issues. In October of 2017 we noted strange goings on with the plugin and the only recent change was for one account that has been used to submit changes to it to change the author of the plugin to a name other than theirs, which they had previously done also done in March of 2017, so it continues to be unclear what is going on with that plugin.
Blog Designer, which has 30,000+ installs, was closed on Monday. No explanation has been given for the closure. When we started a quick check for security issues in it we found that it contained a setting change vulnerability that leads to a persistent cross-site scripting (XSS) vulnerability, which is the type of vulnerability likely to be exploited.
The plugin was reopened on Wednesday.
Title Remover, which has 100,000+ installs, was closed on Thursday. No explanation has been given for the closure.
In a quick check over the plugin it looks free of vulnerabilities, though it is curiously handles things in an insecure way while stating it is doing otherwise, as it claims to sanitize user input when there is no sanitization done:
83 84 85
/* Get the posted data and sanitize it for use as an HTML class. */ $form_data = ( isset( $_POST['wptr-hide-title-checkbox'] ) ? $_POST['wptr-hide-title-checkbox'] : '0' ); update_post_meta( $post_id, 'wptr_hide_title', $form_data );
That allows users without the unfiltered_html capability to store unfiltered HTML in a post meta database entry. When that is used elsewhere in the plugin it is done in a way that restricts anything harmful from being done, though it would be more secure to actually sanitize the value or otherwise restrict it.