Login

Analysis

30 May 2025

Patchstack Now Withholding Misappropriated Information Needed to Secure Plugins in WordPress Plugin Directory From WordPress

Last week, we posted how WordPress had left a known vulnerable WordPress plugin with 100,000+ installs that is being targeted by a hacker in the WordPress Plugin Directory. The plugin continues to be in the plugin directory despite one of the Team Reps for the Plugins Team, David Perez, and the Senior Team member of the team, Samuel (Otto) Wood, being informed of that.

It turns out that there is another party partially responsible for the situation. It is a party that has already been engaged in unethical behavior and things have gotten worse now. [Read more]

23 May 2025

WordPress Plugin Submission Review Seems to Have Failed Badly With ConvertPro

Earlier this week the team running the WordPress Plugin Directory were touting how great things are going. They proclaimed that the “WordPress Ecosystem is Growing,” basing that on “plugin submissions hav[ing] doubled in 2025.” They didn’t mention how much usage those plugins have, which might have something to do with the pretty bleak numbers. A recently introduced plugin to the directory highlights that there are other problems that the team seems to be blind to with what they are responsible for.

Fake Install Count?

We are in the process of reviewing WordPress plugins used by our customers to see if they contain any third-party libraries we still need to add detection to for to our Plugin Security Scorecard. That led us to coming across the plugin ConvertPro. Or more accurately, one instance of it. The WordPress Plugin Directory listing for it seems rather odd. The plugin is at version 1.0.0 and has no reviews, yet it has 20,000+ installs: [Read more]

23 May 2025

Long Overdue Security Review of WordPress Would Cost Only 0.25% of WP Engine’s Estimate of Cost of One WordPress Website

This week WordPress managed host WP Engine released “[i]nsights from a global study of 1,700+ digital leaders on the real costs of maintaining” websites. The study suggests, not surprisingly, that there is a lot of concern when it comes to security with usage of WordPress. We will have more on that a in separate post, but one figure included in their study highlighted how little it would cost to improve the security of WordPress.

WP Engine tabbed the total cost of one WordPress website at $2,408,789: [Read more]

22 May 2025

WordPress Hasn’t Addressed Hacker Targeted Plugin With 100,000+ Installs That Has Unfixed “Critical” Vulnerability

Yesterday, data we track showed that what was likely a hacker was probing for usage of the 100,000+ install WordPress plugin TI WooCommerce Wishlist, by requesting its readme.txt file. Why would a hacker be interested in the plugin? Presumably there shouldn’t be any publicly known unfixed vulnerabilities, as the plugin hasn’t been closed in the WordPress plugin directory:

[Read more]

21 May 2025

Is Brizy, Patchstack, or Both to Blame For Lack of Fix for Vulnerable WordPress Plugin With 80,000+ Installs After 8 Months?

While looking into an issue with the Brizy WordPress plugin, which has 80,000+ installs, we ran across a concerning security situation. The most recent support topic for the plugin is titled “Is this plugin abandoned?” and reads:

4 weeks without any update, Wordfence show a critical vulnerability and has not been made compatible with the latest WordPress 6.8 [Read more]

16 May 2025

Plugin Security Scorecard April Results

April was the ninth full month our Plugin Security Scorecard was available. A fair amount of plugins were checked. A total of 77 plugins were checked last month. With 5 of those plugins being security plugins.

The overall results were not great. Only one plugin got an A. No plugins got an A+ or B+. Those three grades require the developer of the plugin to be taking proactive measures with security, so most plugin developers are not taking measures to provide the best security. 16 of the plugins did get a B, which requires that they are avoiding unnecessary security issues. [Read more]

15 May 2025

600k WordPress Backup Plugin Claiming to Be “Easiest Way to Protect Your Website” Contains Decade Out of Date Insecure Library

Earlier this week someone checked the 600,000+ install WordPress plugin BackWPup through our Plugin Security Scorecard. That flagged a variety of issues including code that isn’t properly secured against reflected cross-site scripting, usage of security functions in a way that they provide no protection, and usage of an outdated version of a third-party library that contains five developer disclosed security issues:

The oldest of those security issues in the library was disclosed in May 2022. So the developer hasn’t updated the library in at least 3 years. It turns out it is even longer than that, as the version in use is 3.8.1, which was superseded in March 2014. [Read more]

14 May 2025

Hacker Already Targeting Plugin With Vulnerability Exposed by Wordfence Today Without Fix Being Available

Today, we have had two requests on our website checking if we were using a WordPress plugin by checking for the readme.txt file for it. The requests were for the path /wp-content/plugins/baiduseo/readme.txt. Those appeared to come from a hacker. Why would that be? Well the plugin, SEO合集(支持百度/Google/Bing/头条推送), was closed on the WordPress plugin directory yesterday:

[Read more]