Developer of 1+ Million Install WordPress Plugin Warned Multiple Times of Known Vulnerable Library in Plugin and Still Hasn’t Addressed It
Yesterday, we covered our finding that the 1+ million install WordPress plugin WP File Manager contains a known vulnerable version of the JavaScript library jQuery UI. While following up on another element of that situation, we ran across the developer of the library having been warned publicly about that twice in the past. The developer responded both times that they would address it and then didn’t. That also means that they knew about the problem with another library and didn’t warn the developer of it.
The first notification was in April 2023 and the response from the developer then was:
We wanted to take a moment to express our sincere gratitude for bringing to our attention the bug you recently discovered in our plugin and we truly appreciate your time and effort in identifying this issue.
This has allowed us to make necessary changes and improvements to our plugin. We will release an update within a few days.
As we noted in yesterday’s post, the reason why the plugin contains the jQuery UI library is that it is part of the elFinder file manager library that plugin uses to provide the file manager. The date the plugin developer was notified is important, as elFinder had used a known vulnerable version of jQuery from October 2021 to December 2023. If the developer of the plugin had notified the developer of the issue after being notified themselves, the issue might have been addressed sooner.
The developer was again notified of the issue in June, and they responded in part this way:
We have added this issue to our pipeline and will address it as soon as possible.
There have been three new releases since that response and the issue still hasn’t been addressed.
As we noted yesterday, the plugin also still contains a minor vulnerability we warned the developer they had incompletely fixed a year ago. And as we noted yesterday, we have been warning not to use plugins from the developer since May 2022 because of their repeated poor handling of security. That recommendation looks better and better.