WordPress Plugin Developers Continue to Make Additional Attempts to Fix Vulnerabilities Without Disclosing It
Last month we wrote about how one of our competitors in providing data on vulnerabilities in WordPress plugins was copying inaccurate data from another provider. That involved a vulnerability in a plugin named Auto Affiliate Links, which hadn’t been fully fixed. The developer later responded in the comments that they hoped the issue had by then been fully resolved. We responded that it hadn’t. Days ago, the developer released a new version with the changelog stating “Tested and updated to work with WordPress 6.4.2”. That seemed odd, as usually minor updates to WordPress don’t make changes that plugins would need to be changed to address. It turned out that they were doing further addressing of the vulnerability.
If you look at the changes made in the new version, the changes were to add two nonces, add one nonce check, and change the tested up to version WordPress 6.4.2. The first two changes are related to addressing the cross-site request forgery (CSRF) vulnerability. The last change isn’t actually necessary, developers can simply list their plugin as being compatible with WordPress 6.4 and they don’t need to keep changing that for every minor version.
The last two releases of the plugin noted that security fixes were being applied, as they read “Added security nonces in exclude post page” and “Added security nonces for exclude terms and words pages.”
What is a lot more important than what happened with this particular plugin here is that this is yet another reminder that WordPress plugin developers are not always disclosing that they are fixing vulnerabilities. Including, as we have been noticing a lot recently, when making a second or more attempt to fix a vulnerability. The important takeaway from this is that you can not rely on changelogs (or other information for that matter) to determine if you should update plugins to protect against security issues. Instead, you should keep plugins up to date all the time.
Another takeaway is that developers are not always good at fixing vulnerabilities, as the issue still hasn’t been fully resolved.