Last year we created the Plugin Security Scorecard tool to help the WordPress community to have a better understanding of the security of plugins and hopefully to get better practices more widely implemented. As part of our work on that, we have been continuing to expand its capability to identify when plugins are using outdated and known insecure/vulnerable third-party libraries. That capability either doesn’t exist elsewhere in the community or isn’t being used. That is highlighted with a plugin that was checked through the plugin today.

The plugin checked was the 1+ million install plugin SVG Support, which had several issues identified:

The first one is the one of most concern. The plugin contains an outdated version of the svg-sanitizer that has known security issue according to the developer of the library. The developer hasn’t provided any details of the issue, so we can’t determine the severity of the issue or if the plugin uses the library in a way that makes this a vulnerability in the plugin. What does stand out is that their security advisory was released on Feb 12, 2022. That came out the same day the version that fixed this was released. The plugin is still using the previous version.

Our Plugin Security Scorecard also noted the out of date version of the library in use:

Checking the support forum on the WordPress Plugin Directory to see if someone had already brought this up, we found that there were multiple topics about security issues in the plugin, but this had gone unnoticed. That includes when the plugin was removed from the directory in July apparently because of a claimed vulnerability in it. That the team running the plugin directory isn’t exactly surprising considering the known problems with properly vetting the security of plugins and their hostility to working with others to address that.

We notified the developer of the plugin’s usage of the outdated and insecure version of the svg-sanitizer library.