When it comes to the poor security surrounding WordPress plugins what we have long found so unfortunate is that it would be easy for the team running the Plugin Directory to improve the situation, but for reasons that have never made sense they continue to refuse to do things that would make a big difference and likely greatly reduce the number of websites being hacked (we and others have repeatedly offered to help them do those things).
One of the problems we have long seen is that after plugins are closed on the Plugin Directory due to vulnerabilities, even after the vulnerability has been fixed, the plugin remains closed, so those already using the plugin can’t get the updated version. This often looks to be because the team running the Plugin Directory requires more changes to be made, sometimes security related. The problem with that is that if those websites could update they would stop the possibility of the fixed vulnerability being exploited.
While it is understandable to not want to introduce a plugin that still has additional security issues to those websites not already using the plugin, for those already using the plugin not providing them the update is only harmful. So an option to allow those already using the plugins to update seems like a no brainer.
Back in April we believed that the team had finally gotten access to the capability and started using as with the plugin Ari Adminer there was different message shown when it was closed due to a security vulnerability:
This plugin has been closed as of April 5, 2019 and is not available for download. This closure is permanent.
and we found that while it was closed you could still update the plugin. What made that seem a bit odd is that vulnerability was not an issue that was likely to be exploited, so why start with that plugin.
Since then we haven’t seen that done with any other plugin we have run across and in looking back at something recently, we noticed that it sound like they have had this capability for years, as this was written by the person in charge of the Plugin Directory four years ago:
Right now, we actually do have disabled as an option, which means a plugin is removed but still able to push updates. That functionality would need to be revisited.
So it appears that might have been used in that instance by accident.
Using that capability would be useful with the plugin DELUCKS SEO right now. On Saturday we publicly warned that it look like a hacker was targeting an unfixed vulnerability in the plugin. The developer of the plugin fixed the vulnerability on Monday, but the plugin still remains closed as of the publishing of this post. Since then there have been reports of websites being hacked due to it.
Since the team running the Plugin Directory also controls the moderation of the WordPress Support Forum it isn’t possible to discuss problems like this in the most obvious place, so security journalists covering these problem seems like it would be an important element of them finally being resolved, but they seem to be unconcerned about such things. Instead you had a ZDNET security journalists who made up a fictional story about us earlier this year criticizing us for getting ahead of the vulnerability in DELUCKS SEO (also incorrectly, they are claiming that we have “big of an ego to work with the WP security team”, when it seems to be the the opposite of that):
Second WP plugin zero-day detected entering active exploitation in the past 24h.
— Catalin Cimpanu (@campuscodi) September 25, 2019