How Our Customers Helped Make WordPress Plugins More Secure, Week of February 9
Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better understand what is going on and how signing up for our service can help to expand that work.
Vulnerability in WordPress Hosting Benchmark tool Partially Fixed
Last week, we reached out to the developer of the WordPress plugin WordPress Hosting Benchmark tool to let them know that an attempt to fix a vulnerability in their plugin had failed and that the vulnerability was more severe than they claimed. The miss-identification of the issue looks to be caused in part by a competitor of ours, Patchstack, not properly reviewing a claim they received of a vulnerability in the plugin (which is a common occurrence). We looked in to that because at least one of our customers was using the plugin.
The developer initially responded that there wasn’t still an issue based on common confusion over what the WordPress function is_admin() does. We replied back explaining that to them. They later released an update that partially addressed the problem in a new version this week. But the plugin still is vulnerable. They didn’t provide the changes to us to review first, so we couldn’t point to the remaining issue (we had mentioned when we originally contacted them). They later got back to us and we noted the still incomplete nature of the fix. It appears that the remaining issue may now be on its way to being resolved.
Catching Incomplete Fix of Shariff Wrapper
Last Tuesday, someone was claiming to have found a vulnerability in the WordPress plugin Shariff Wrapper. As at least one of our customers was using the plugin, we went to check to see if there was an obvious serious vulnerability in the plugin. We didn’t see anything. We then started keeping an eye on it to see if there would be a new version of the plugin was released. Last Friday, an update to the plugin was released that was supposed to address the issue.
Unfortunately, we found that while the new version tried to fix a vulnerability, the fix was incomplete. We reached out to the developer about that on Monday, but we have yet to receive a response and the vulnerability hasn’t been fixed so far.
Other WordPress plugin vulnerability data providers, including Patchstack, Wordfence and WPScan, are claiming there was a less serious vulnerability and it was fixed. It’s unclear what is going on there, as the original source for their claim is referring to the same vulnerability we warned our customers about. The Source, CleanTalk, is incorrectly saying the vulnerability is fixed. Making things more confusing, they are claiming this could lead to takeover of an Adminstrator account, while those other providers are claiming that Administrators would have to take the malicious action.
Catching Still Unresolved Vulnerability in FastDup
While looking into recent claims of vulnerabilities in the plugin FastDup after we saw a hacker probing for usage of it, we found the plugin still contained one of the vulnerabilities being discussed before. We have reached out to the developer about that, but still haven’t heard back from them and the issue hasn’t been resolved.
Catching Additional Insecure Code in All-In-One Security (AIOS)
While reviewing a couple of security fixes being made to the 1+ million install All-In-One Security (AIOS) plugin, we found that code related to the code being secured, is still insecure. We reached out to the developer about that and apparently it will be addressed in a future update to the plugin.
Clearing Up False Claims of Vulnerabilities in Cloudflare and Easy Digital Downloads
Something that doesn’t make WordPress websites more secure is claiming that popular plugins contain vulnerabilities that they don’t contain. We looked into two of those this week as our customers are using the plugin. One involved the 200,000+ install Cloudflare plugin and the other 50,000+ install Easy Digital Downloads plugin. With both of these, we not only check to see if there was a vulnerability being fixed, but also making sure that the real lesser security issues we properly addressed. Something that didn’t fully happen with another vulnerability being addressed in the latest version of Easy Digital Downloads.
Plugin Security Scorecard Grade for Patchstack
Checked on March 5, 2025See issues causing the plugin to get less than A+ grade