How Our Customers Helped Make WordPress Plugins More Secure, Week of February 23
Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better understand what is going on and how signing up for our service can help to expand that work.
This week, we again found that vulnerability fixes in popular plugins were incomplete or hadn’t been applied to all the plugins they needed to be. Some of those have now been addressed, some haven’t. You can sign up for a free trial of our service to see if you are using plugins that are known to be vulnerable. We currently have data on plugins with at least 8.2 million installs that are known to be vulnerable and stillĀ in the WordPress Plugin Directory.
Vulnerability in Some Plugins Using ThemeIsle SDK Fixed
While reviewing the security changes made in the latest version of a plugin used by at least one of our customers, we found that there was an updated version of the ThemeIsle SDK included, which fixed a settings change vulnerability. We also found another plugin used by at least one of our customers, the 200,000+ install Menu Icons, was still using an old version of that library that was vulnerable. Other plugins were also still using it. We contacted the developer about that and a new version of Menu Icons was released today to address that. Another plugin with 100,000+ installs, Templates Patterns Collection, was also updated today. Unfortunately, another plugin with 700,000+ installs, LightStart, that we mentioned still hasn’t been fixed.
The developer also confused us with another provider who overstating the risk posed by the vulnerability.
Vulnerability Fixed in IP2Location Country Blocker
Earlier this week, an update to the 20,000+ install IP2Location Country Blocker, which is also used by at least one of our customers, had an update to fix a vulnerability. The developer wasn’t very thorough, as we found two other locations in the code that were still vulnerable. One of them was almost identical to the fixed code. We got in touch with the developer and they promptly released an additional update to address that. There is still a small security issue that hasn’t been addressed.
Unfixed Vulnerability in Download Manager
The latest version of the 100,000+ install Download Manager was supposed to have fixed a vulnerability. In reviewing the change made, as that is also used by at least one of our customers, we found the fix was incomplete. We have reached out to the developer about that, but so far a full fix hasn’t been made.
Unfixed Vulnerability in Brave Conversion Engine
The latest version of the 20,000+ install Brave Conversion Engine was supposed to have fixed a vulnerability. In reviewing the change made, as that is also used by at least one of our customers, we found the fix was incomplete. We have reached out to the developer about that, but so far we haven’t received any response and the issue hasn’t been resolved.
The developer still hasn’t fully addressed a previous vulnerability that we had noticed in hadn’t been fully fixed back in November.
Plugin Security Scorecard Grade for Brave Conversion Engine
Checked on August 12, 2024See issues causing the plugin to get less than A+ grade