Last week we posted about the three most popular file manager plugins containing a vulnerable version of the jQuery UI library. The inclusion of the vulnerable version of that library was detected by our Plugin Security Scorecard. None of those plugins have been updated to address that yet, despite us notifying the developers a week ago. Over the weekend, another plugin was checked through the tool and identified to contain a vulnerable version of that. Incredibly, it is a security plugin, Security & Malware scan by CleanTalk:

That isn’t the only issue, as the tool also identified that the plugin is misusing a PHP security function, so it doesn’t offer any security.

Getting back to jQuery UI, the vulnerability was disclosed by the developer in July 2022 and yet over two years later, this security plugin still contains a vulnerable version of the library.

Not only is this a security plugin, but the author, CleanTalk, is trying to get other plugin developers to pay for them for security certifications:

One of the things they claim to check for are “Insecure Dependencies:”

Using a vulnerable version of jQuery UI, like they are doing with their own plugin, would be an insecure dependency.

None of this should come as a surprise, based on what we found last August when we vetted their security reviews.