When new WordPress plugins are submitted to the WordPress Plugin Directory, they are supposed to go through a review first, which includes checking the security of the plugin:

You will get an automated email telling you about the submission immediately. At that point, someone will manually download and review your code. If we find no issues with the security, documentation, or presentation, your plugin will be approved. If we determine there are issues, you will receive a second email with details explaining what needs to be fixed.

Despite the claim to do that, for over five years, automated proactive monitoring we do of changes being made to plugins has been catching brand new plugins that contain security vulnerabilities. We have offered to provide the team running the Plugin Directory with access to the same capability or help them create their own capability. They haven’t taken up our offer (or the offer from others to help them fix problems like this). The team hasn’t even allowed anyone to apply to join the team, despite being severely understaffed for many years (they only claim to have had four members for years).

Hope For Change

Recently, it has looked like things might be getting better, as the long-time problematic (to put it politely) head of the team running the plugin, Mika Epstein, said they would be leaving the team by July 1. The post where they made that announcement included their usual self-serving misleading (again, to put it politely) claims. They mentioned an under staffing problem on the team going back to 2019, despite them having blocked others from getting involved going further back than that.

Even while announcing the change, Mika Epstein continued to block anyone even from even applying to join the team. With a little over two weeks left before the changeover, there still are no new listed members of the team. The process for adding new members was claimed to involve community input, though there was no such request that was made available to the public through the team’s website (like we said Mika Epstein is known for making misleading self-serving claims):

Given the need for the new team members to get up and running relatively quickly, the plugin review team invited contributors who have experience with plugins and code to join the team, thanks to recommendations from many community members. These contributors were vetted for good standing in the WordPress project, confirmed that they had the required skill set to review plugins and would respect the required level of security and confidentiality needed, and agreed to help refine the onboarding process to the Plugin Review team.

Still Failing

What can be seen with a couple of brand new plugins recently allowed in to the Plugin Directory, the reviews are still failing at a basic level. Because the reviews are done in secret, there is no way to know if the failures here were from new members of the team or existing members.

The plugin ShortcodeGPT was added to the directory on June 7. Our automated monitoring flagged that it might contain a shortcode execution vulnerability. A really quick check confirmed that was the case. That is a bit of an obscure vulnerability, but it was in a function that should have been reviewed because of it being AJAX accessible to even those not logged in to WordPress.

The plugin Sobex Tech was added on June 3. That plugin was flagged by the monitoring system for possibly insecure file upload code. Checking on that, we found there to be serious vulnerability, but we also found that code was rather obviously not secure more widely. Take one example from the same file where the vulnerable code was flagged. The last function in the file is described as “Ajax Function For reset menu slide style icons”. That would seem to be something that only Administrators should be able to access, and yet even those not logged in to WordPress can access it:

1101
1102

add_action( "wp_ajax_sobex_reset_menu_slide_icons_style", "sobex_reset_menu_slide_icons_style" );   //reset_records is action
add_action( "wp_ajax_nopriv_sobex_reset_menu_slide_icons_style", "sobex_reset_menu_slide_icons_style" );

The function itself doesn’t do any security checks whatsoever:

1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113

function sobex_reset_menu_slide_icons_style(){
 
  global $wpdb;
  global $stsearch_get_opts;
 
	if (isset($_POST['reset'])) {
 
    if(isset($stsearch_get_opts['menu_menu_specific_name']) && !empty($stsearch_get_opts['menu_menu_specific_name'])) {
      $temp_name = $stsearch_get_opts['menu_menu_specific_name'];
      $default_icon = 'sobex-tech-favorite';
      $result = $wpdb->update( $wpdb->prefix.'sobex_tech_widget_menu', array('menu_icon'=>esc_attr($default_icon),'menu_icon_color'=>'#16a27b'),array( 'menu_temp_name' => $temp_name ));

It would be hard to miss that if a security review was done by someone with even a fairly limited knowledge of what they should be checking for.

Bring in the Community

What has been lacking for many years has been the ability for the WordPress community to be involved in the Plugin Directory. Unfortunately, the community is still being left out here and the results, as can be seen by those failed security reviews of news plugins, are not good. That could be changed by opening things up to the WordPress community before a new team is given control of the Plugin Directory, instead of afterwards, as is currently claimed to be happening in the future.