Plugin That Patchstack Is Claimed to Ensure Is Secure Contains an Additional Outdated Known Insecure Library
Last week we talked about two popular WordPress plugins that had been run through our Plugin Security Scorecard and identified as containing a rather out of date version of third-party libraries, which according to the libraries developers, contained a security issue. The libraries in question were different in the plugins, but it turns out they also have another library in common, where they are both using outdated known insecure versions. One of those is the 1+ million install SVG Support, where someone reported to the developer at the end of October that it was also using an outdated and known insecure version of the library DOMPurify. There still hasn’t been an update to the plugin to address that. More people have been reporting that issue. After seeing that, we started looking in to adding a check for DOMPurify to our Plugin Security Checker. Through that, we found a couple of fairly popular plugins are also still using older versions that the developer of the library is insecure.
We contacted the developer of one of those yesterday to let them know about the problem. The version they are using is subject to issues that were publicly disclosed by the developer of the library in September and October. There are not any topics on the support forum for the plugin about that, which is interesting considering the other plugin had multiple people reported it to the developer.
While other popular plugins using the library have updated by now, there was a second popular plugin using a known insecure version. It was the other plugin we mentioned last week, the 300,000+ install FluentSMTP. We covered that week after not getting any response from the developer in a week after letting know about the other outdated known insecure library. There still hasn’t been a response or an update to address that issue.
As we noted in our previous post, the developer of the plugin is claiming that they have a “dedicated security partner to ensure FluentSMTP won’t make your website vulnerable.” That partner is Patchstack. Whether Patchstack agrees with that claim or not is unclear. But what is clear is that they are not doing that. Rerunning the plugin through our Plugin Security Scorecard, now flags two issues from DOMPurify in addition to the one from the other library:
The big takeaway from this is that unfortunately you can’t trust claims made by plugin developers about their handling of security. They can and far too often make claims about their handling of security that are not true and might be something they know to be false.
Security provider could work to counter this, as we do with in various ways, including our Plugin Security Scorecard. Or they could, like Patchstack, collaborate with irresponsible plugin developers to profit off of continued poor handling of security.