21 May

WordPress Plugin Developers Are Portraying Limited Security Checks as Security Audits, Which They Are Not

Earlier today we noted that more WordPress plugins getting a security review would be a big help to the WordPress community. While there are not many security reviews of plugins happening now, in some cases developers are making it sounds like their plugins are getting security audits they do not appear to be getting.

As part of continually monitoring various sources for information on vulnerabilities in WordPress plugins to add them to our data set so that our customers can be informed of vulnerabilities in plugins they use, today we came across a report of vulnerabilities in the plugin WPGraphQL. In looking in to this we found that in the release notes for the version that is supposed to fix this, there was this information:

Security Audit
We had a formal security audit performed on the plugin by Simone Quatrini of Pen Test Partners. Fortunately, most of the issues reported by the audit were already being resolved by the Model Layer we had in progress at the time we received the report. Some additional issues were brought to our attention that were not on our radar and were addressed in this release. We recommend updating to this latest version to benefit from all the new features as well as the security fixes. In a week or two, we will publish more information about the security audit, but want to give folks the chance to update the plugin to the latest version before disclosing the issues that were reported.

And this information

All sorts of access control data leaks. The Model Layer now restricts data that should be restricted and exposes it only to those with proper capabilities to view it. Thanks again to Simone for working with us on the Security Audit and providing us with a detailed report, and verifying that the issues had been properly resolved in this release!

The post by Pen Test Partners about this doesn’t make any mention of a security audit, as you might guess from its title, “Pwning WordPress GraphQL“. What is written in the post doesn’t make it what was done was a security audit by some other name either. Instead it looks like one area of the security of the plugin was checked.

That isn’t the only time we have come across that sort of apparently misleading portrayal recently. While looking into the possibility that a security vulnerability had been fixed in the plugin WP Inventory Manager last month we happened across a settings change vulnerability that led to a persistent cross-site scripting (XSS) vulnerability. That was not in any way a security audit, but that is the way the developer portrayed it:

In a recent security audit it has come to our attention that there was a back door security issue. Without being too descriptive as to what that issue was so that attackers do not try to exploit you; we are issuing this public notification to update immediately to version 1.8.2. If you are on any previous version of the plugin, we strongly advise that you update to 1.8.2 immediately.

We apologize for any inconvenience. But is our duty to make you aware and to keep you safe.

That is also misleading in that we had already released our report on the vulnerability before they said that, so it wasn’t like there being tight lipped about it was going to impact exploit attempts, but it might have led people to not understand how insecure the plugin had been (and still might be, since we just happened across that issue and didn’t do a full security review).