One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing their plugins and others get them properly secured when alerted they haven’t done that. A smaller number of plugin developers either are unable or unwilling to properly secure their plugins. With the latter group, among the issues we have seen, are developers who have introduced new serious vulnerabilities that are substantially similar to vulnerabilities that they know have been exploited in their plugins.

In situations where we become aware of developers who have shown that inability or unwillingness to properly secure their plugin, we are releasing advisories to warn customers of our service and the wider WordPress community of the risk of utilizing those developers’ plugins. In addition to checking those posts on our website for information on those advisory, we provide access to the information in several other forms. That includes through the companion plugin for our service, even when not using the service, as well as through a web browser extension and through separate data accessible from our website.

The latest addition to our advisories involves a developer, CleanTalk, who is a security provider. Not only a security provider, but one that claims to be doing thorough security testing of plugins before issuing what they claim is a prestigious security certification. They have issued certifications for their own plugins despite the certified versions containing vulnerabilities and other security issues their testing is supposed to catch.

Certification and Then Exploitable Vulnerability Disclosed

On August 1 of last year CleanTalk issued a Plugin Security Certification for their Spam protection, Anti-Spam, FireWall by CleanTalk. In November it was disclosed that the plugin had contained a serious vulnerability. That had existed in the version that CleanTalk claimed to have done their testing on. CleanTalk had not disclosed it in the changelog of the plugin when the vulnerability was fixed.

On September 17, they issued a Plugin Security Certification for their Security & Malware scan by CleanTalk. In February, it was disclosed that the plugin had contained a serious vulnerability. That had existed in the version that CleanTalk claimed to have done their testing on. CleanTalk had not disclosed it in the changelog of the plugin when the vulnerability was fixed.

In both cases, we saw what appeared to be hackers looking to exploit the vulnerabilities after they were disclosed.

That would be a series of events that you would reasonably think would lead to serious soul searching at the company, instead they have continued to not get their plugins secure and continued to issue these bogus security certifications. The latest one was issued today.

Claimed Security Testing Isn’t Happening

Less than a week after they issued the certification for the first of their plugins, we published a post detailing what we found when we vetted the security testing they were claiming to do. One issue we noted was that they were claiming to test for an issue, buffer overflow, that can’t even happen in WordPress plugins. Either they don’t understand what they are claiming to test for at all or they are assuming that no one else will. We also found that their plugin was insecure, and that insecurity led to a vulnerability. Other plugins they certified also appeared to be at least insecure.

No Response to Being Notified of Vulnerable Library

Two weeks ago, we published a post about their other plugin containing a third-party library that had been publicly known to be vulnerable since July 2022. One of the claimed tests they do as part of the certification is for insecure dependencies. The inclusion of that vulnerable library is an insecure dependency. The vulnerable library was in the version of the plugin that they claimed they tested, so it should have been dealt with by now.

Before publishing, we reached out to CleanTalk to notify them of that. Their plugins lack a security file that would provide information on how best to do that. Their website doesn’t include a security.txt file either. We used the general email address they provide. In the two weeks since then, we have yet to receive a response and the vulnerable library remains in the plugin.

Avoid CleanTalk’s Plugins

Hopefully, we shouldn’t have to tell you to avoid plugins from CleanTalk after what you just read, but we would recommend avoiding their plugins, unless they can show that they have made significant changes to their handling of security.