Closures of Very Popular WordPress Plugins, Week of July 12
While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.
This week four of those plugins was closed and three have not been reopened.
WP Google Maps
The plugin WP Google Maps, which has 400,000+ installs, was closed last Friday. According to the developer that was due to an emails bouncing, which would preclude informing the developer of the closure. That makes the team running the Plugin Directory hiding the reason for the closure even more incomprehensible than usual. In a quick check over the plugin we found the plugin contained another authenticated persistent cross-site scripting (XSS) vulnerability.
The plugin was reopened on Sunday.
One-Click Child Theme
The plugin One-Click Child Theme, which has 70,000+ installs, was closed last Friday. No reason has been given for the closure. In a quick check over the plugin we didn’t see any obvious security issues in it.
Ultimate Nofollow
The plugin Ultimate Nofollow, which has 60,000+ installs, was closed last Friday. No reason has been given for the closure. In a quick check over the plugin we didn’t see any obvious security issues in it.
Ultimate Social Media PLUS (Social Share Icons & Social Share Buttons)
The plugin Ultimate Social Media PLUS (Social Share Icons & Social Share Buttons), which has 60,000+ installs, was closed today. No reason has been given for the closure. In a quick check over the plugin we didn’t see any obvious serious security issues in it, though we noticed multiple less serious vulnerabilities (which wasn’t exactly surprising).