WordPress Plugin Review Team Failing to Enforce Rule, Which is Leading to Popular Plugins Containing Vulnerable Libraries
As part of our work to expand the ability for our Plugin Security Scorecard to identify security issues in WordPress plugins, we have been increasing the number of third-party libraries it can detect being used in WordPress plugins and incorporating information on vulnerabilities the developers have disclosed in those. One place we have been doing that work is during security reviews of plugins. That led to us adding detection for the library jQuery UI to the tool and warning if plugins contain a version that has any of four vulnerabilities disclosed by the developer to have existed in older versions. In recent weeks, we have published several posts that partially focused on WordPress plugins that are using known vulnerable versions of the library. Those situations don’t paint a pretty picture when it comes to plugins usage of third-party libraries.
Three of the most popular file manager plugins also contain a vulnerable version of the library, including one with a million or more installs. The usage of a vulnerable version is in turn caused the developers’ failure to update the file manager library that is the basis for those plugins.
A security plugin also contains a vulnerable version of the library, despite the developer claiming to test plugins, including their own, to ensure they don’t contain insecure dependencies.
Plugins Are Not Supposed to Contain jQuery UI
It turns out that none of those plugins are even supposed to contain that library. The reason for that is that plugins in the WordPress plugin directory are not supposed to a library that already comes in WordPress:
13. Plugins must use WordPress’ default libraries.
WordPress includes a number of useful libraries, such as jQuery, Atom Lib, SimplePie, PHPMailer, PHPass, and more. For security and stability reasons plugins may not include those libraries in their own code. Instead plugins must use the versions of those libraries packaged with WordPress.
For a list of all javascript libraries included in WordPress, please review Default Scripts Included and Registered by WordPress.
On the linked page, one of the libraries listed as being included in WordPress is jQuery UI. The version of jQuery UI listed as being included in WordPress is a vulnerable version. That information isn’t accurate, which we will probably have more about in another post.
So these plugins shouldn’t include the library, but they are. It would be easy for the Plugin Review Team to detect this if they wanted to. It is hard to understand how the rule exist, but the team didn’t implement a system to enforce it. They have had plenty of time, as the rule was added in January 2017. The Plugin Check (PCP) plugin, which comes from WordPress and is described as “a tool for testing whether your plugin meets the required standards for the WordPress.org plugin directory,” doesn’t check if the library is included in plugins either.
Not The Only Library This is An Issue With
We have now updated the Plugin Security Scorecard to warn about inclusion of jQuery UI (in addition to warning if a vulnerable version is being used). We are in the process of adding checks for the other libraries included in WordPress. One of those is Thickbox. Among the plugins that include that is the 400,000 or more install NextGEN Gallery. That plugin comes from Awesome Motive, which has as their chief security officer, the Security Reviewer on the Plugin Review team, Chris Christoff.