Earlier this week someone checked the 600,000+ install WordPress plugin BackWPup through our Plugin Security Scorecard. That flagged a variety of issues including code that isn’t properly secured against reflected cross-site scripting, usage of security functions in a way that they provide no protection, and usage of an outdated version of a third-party library that contains five developer disclosed security issues:

• The plugin contains a version of the third-party library Guzzle that the developer of the library says has a security issue labeled as “CURLOPT_HTTPAUTH option not cleared on change of origin”. The plugin could be vulnerable due to that.

• The plugin contains a version of the third-party library Guzzle that the developer of the library says has a security issue labeled as “Change in port should be considered a change in origin”. The plugin could be vulnerable due to that.
• The plugin contains a version of the third-party library Guzzle that the developer of the library says has a security issue labeled as “Failure to strip the Cookie header on change in host or HTTP downgrade”. The plugin could be vulnerable due to that.
• The plugin contains a version of the third-party library Guzzle that the developer of the library says has a security issue labeled as “Fix failure to strip Authorization header on HTTP downgrade”. The plugin could be vulnerable due to that.
• The plugin contains a version of the third-party library Guzzle that the developer of the library says has a security issue labeled as “Cross-domain cookie leakage”. The plugin could be vulnerable due to that.
• User input is being directly output, which could lead to reflected cross-site scripting (XSS).
• The function filter_var() is used without a filter, so it doesn’t do any filtering.
• The PHP function filter_input() is used without a filter, so it doesn’t do any filtering.
• Base64 obfuscated content detected.
• The plugin doesn’t contain a security.txt file (or alternatively a SECURITY.md or SECURITY-INSIGHTS.yml), which would provide information on how to report security issues to the developer.
• The plugin isn’t listing in a security.txt file where the results of a security review that has been done of the plugin can be found. A well done security review would provide a good measure of the security of the plugin at the time it was done.

• The plugin isn’t listing in a security.txt file where a software bill of materials (SBOM), which provides information on what third-party software is included in the plugin, can be found. That limits the ability to access the security of that third-party software.

The oldest of those security issues in the library was disclosed in May 2022. So the developer hasn’t updated the library in at least 3 years. It turns out it is even longer than that, as the version in use is 3.8.1, which was superseded in March 2014.

The plugin also contains the Swift Mailer library, which, according to the developer, stopped being maintained in November 2021.

The banner image for the plugin on the WordPress Plugin Directory claims it is “The Easiest Way to Protect your Website:”

We notified the developer of the issue with the libraries and we got this response:

We are already working on optimizing how we use the library. I have added your comments to the report as an inspiration for our developers.

It’s unclear how many years they have needed additional inspiration to address that.

The plugin isn’t alone among WordPress backup plugins receiving an F grade from the tool, as five additional backup plugins currently have that grade. For those looking for a more secure option, you can see the grades for checked plugins here. For those looking for a plugin that provides pro-active protection, the can check out our comparison of firewall plugins.