Developer of 1+ Million Install WordPress Plugin Hasn’t Addressed All Known Vulnerabilities Despite Making That Claim
We release advisories warning about WordPress plugin developers who have a repeated track record of failing to handle security well. A reasonable question to ask is if a backward-looking determination is helpful or if past is not prologue with that. We ran across an example where the problem with a developer has continued. It also suggests that a developer who isn’t making sure to mark their plugins compatible might have additional issues. And finally, the situation is a reminder that you can’t rely on plugin developers to give you accurate information on the security of their plugin.
A post from earlier this month on the support forum of the 1+ million install plugin WP File Manager was asking about compatibility with WordPress 6.7. The plugin had not been marked to be compatible with that version despite it being released in November. Someone from the developer responded that “Although the documentation currently lists compatibility up to WordPress 6.6.2, rest assured that the plugin has been tested and is fully functional with newer releases, including WordPress 6.7.1.” WordPress sends out an email ahead of new releases asking for developers to test and then mark their plugins compatible. So the failure to do that is somewhat concerning.
What stood out more those was that they claimed that the plugin is secure and not known to be vulnerable: “We’ve already addressed all known vulnerabilities in WP File Manager. The latest version is secure and includes improvements to ensure smooth functionality.” In February of last year, we detected that a new release of the plugin had incompletely fixed a vulnerability. We reached out to the developer, mndpsingh287, but all we got in response was what appeared to be a canned response. The remaining portion of the vulnerability still hasn’t been addressed.
That isn’t all that surprising, considering that we had released an advisory warning about the developer’s poor handling of security in May 2022. That was based in part on issues that dated back years before that.