Closures of Very Popular WordPress Plugins, Week of August 9
While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.
This week nine of those plugins were closed and eight of them have not been reopened. If you were a customer of our service you could have already been warned if you were using either of the two we found contain security vulnerabilities.
PDF Embedder
The plugin PDF Embedder, which has 200,000+ installs, was closed on Saturday. It appears the closure was due to violate the guideline “embed external links or credits on the public site without explicitly asking the user’s permission”. In a quick check over the plugin we didn’t see any obvious security issues in it.
The plugin was reopened on Wednesday.
JSON API
The plugin JSON API, which has 30,000+ installs, was closed on Wednesday. That was due to an open redirect vulnerability we found in the plugin due to our Plugin Security Checker.
WhatsApp Chat
The plugin WhatsApp Chat, which has 50,000+ installs, was closed on Thursday. The plugin appears to have been closed due to the name. In a quick check over the plugin we didn’t see any obvious security issues in it.
AccessPress Social Icons
The plugin AccessPress Social Icons, which has 50,000+ installs, was closed on Thursday. In a quick check over the plugin we didn’t see any obvious security issues in it.
Social Share WordPress Plugin – AccessPress Social Share (Tester)
The plugin Social Share WordPress Plugin – AccessPress Social Share (Tester), which has 50,000+ installs, was closed on Thursday. In a quick check over the plugin we didn’t see any obvious security issues in it.
WP Instagram Feed Gallery
The plugin WP Instagram Feed Gallery, which has 40,000+ installs, was closed on Thursday. The plugin appears to have been closed due to the name. In a quick check over the plugin we didn’t see any obvious security issues in it.
Social LikeBox & Feed
The plugin Social LikeBox & Feed, which has 40,000+ installs, was closed on Thursday. The plugins appears to have been closed due similarities between its graphics and Facebook graphics. There is a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in the plugin.
AccessPress Social Counter
The plugin AccessPress Social Counter, which has 40,000+ installs, was closed on Thursday. In a quick check over the plugin we didn’t see any obvious security issues in it.
WP Instagram Widget
The plugin WP Instagram Widget, which has 200,000+ installs, was closed on Thursday. In a quick check over the plugin we didn’t see any obvious security issues in it.