Plugin Vulnerabilities Customers Helped Make WordPress Plugins More Secure, Week of May 30
Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better understand what is going on and how signing up for our service can help to expand that work.
Vulnerability That Went Unfixed for 9 Months in 2+ Million Install Plugin Fixed
Last week, we checked on an attempt to fix a vulnerability in the 2+ million install MC4WP: Mailchimp for WordPress and found the developer had incorrectly fixed the instance of the issue they attempted to fix. And they had failed to fix another instance entirely. That had happened 9 months ago. Unfortunately, other WordPress security providers who claim to have security experts that check over vulnerability claims either didn’t vet this or missed both of those issues. We checked on that attempted fix because at least one of our customers started using the plugin. We reached out to the developer and this week they fixed the issue.
If plugins you use are not being used by our existing customers, there are almost certainly vulnerabilities in them that were supposed to have been fixed, but haven’t. It is a good reason to start using the service.
Vulnerable Library in Security Plugin Updated
As we noted in March, the plugin Security & Malware scan by CleanTalk had contained a known vulnerable library for years. As the library is already included in WordPress, it is a violation of the WordPress Plugin Directory Guidelines to include it in a plugin. That guideline is in place for “security and stability reasons.” We notified them of that at the time. They got back to us this week to say that they have released an update that addressed that. Unfortunately, they updated the library instead of removing it, so part of the issue remains. We replied, letting them know that.
Vulnerable Library Updated
Someone checked the pluginĀ Timber, which has 30,000+ installs, through our Plugin Security Scorecard and it flagged usage of an outdated and insecure third-party library. We then notified the developer of that and they released a new version of the plugin to address that. You can check plugins you use through that to see if they are using known insecure libraries.