How Our Customers Helped Make WordPress Plugins More Secure

6 Jun 2025

Plugin Vulnerabilities Customers Helped Make WordPress Plugins More Secure, Week of June 6

Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better understand what is going on and how signing up for our service can help to expand that work.

Vulnerable Library Updated

Someone checked the plugin WP File Manager, which has 1+ million installs, through our Plugin Security Scorecard and it flagged usage of an outdated and insecure third-party library. We then notified the developer of that and they have now released a new version of the plugin to address that. You can check plugins you use through that to see if they are using known insecure libraries. [Read more]

30 May 2025

Plugin Vulnerabilities Customers Helped Make WordPress Plugins More Secure, Week of May 30

Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better understand what is going on and how signing up for our service can help to expand that work.

Vulnerability That Went Unfixed for 9 Months in 2+ Million Install Plugin Fixed

Last week, we checked on an attempt to fix a vulnerability in the 2+ million install MC4WP: Mailchimp for WordPress and found the developer had incorrectly fixed the instance of the issue they attempted to fix. And they had failed to fix another instance entirely. That had happened 9 months ago. Unfortunately, other WordPress security providers who claim to have security experts that check over vulnerability claims either didn’t vet this or missed both of those issues. We checked on that attempted fix because at least one of our customers started using the plugin. We reached out to the developer and this week they fixed the issue. [Read more]

23 May 2025

Plugin Vulnerabilities Customers Helped Make WordPress Plugins More Secure, Week of May 23

Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better understand what is going on and how signing up for our service can help to expand that work.

Missing Capabilities Check Addressed

Based on our proactive monitoring flagging an issue in an update of the BEAF plugin, which has 20,000+ installs, the developer addressed a lacked of a capabilities check that could have allowed an attacker to change plugin settings and upload files. All plugins being used by our customer go through an extended version of that monitoring on a weekly basis. [Read more]

1 Mar 2024

How Our Customers Helped Make WordPress Plugins More Secure, Week of March 1

Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better understand what is going on and how signing up for our service can help to expand that work.

Vulnerability Fixed in Finale Lite

A couple of weeks ago we noted that a vulnerability in a plugin being targeted by a hacker hadn’t been fully fixed. We also found that another plugin from the same developer was not fixed at all. This week that second plugin, Finale Lite, was fixed enough to stop exploitation. It still isn’t fully secured, though. [Read more]

23 Feb 2024

How Our Customers Helped Make WordPress Plugins More Secure, Week of February 23

Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better understand what is going on and how signing up for our service can help to expand that work.

This week, we again found that vulnerability fixes in popular plugins were incomplete or hadn’t been applied to all the plugins they needed to be. Some of those have now been addressed, some haven’t. You can sign up for a free trial of our service to see if you are using plugins that are known to be vulnerable. We currently have data on plugins with at least 8.2 million installs that are known to be vulnerable and still in the WordPress Plugin Directory. [Read more]

16 Feb 2024

How Our Customers Helped Make WordPress Plugins More Secure, Week of February 16

Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better understand what is going on and how signing up for our service can help to expand that work.

Cross-Site Request Forgery (CSRF) Vulnerability Fixed in Formidable Forms

In January, we found that the developers of the 300,000+ install Formidable Forms had incompletely addressed an issue with cross-site request forgery (CSRF) in the plugin. We found that because at least one of our customers was using the plugin and there was a new version released that suggested there might be a fix for that type of issue. Earlier this week, the developer release an update that fixed the remaining issue. [Read more]

9 Feb 2024

How Our Customers Helped Make WordPress Plugins More Secure, Week of February 9

Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better understand what is going on and how signing up for our service can help to expand that work.

Vulnerability in WordPress Hosting Benchmark tool Partially Fixed

Last week, we reached out to the developer of the WordPress plugin WordPress Hosting Benchmark tool to let them know that an attempt to fix a vulnerability in their plugin had failed and that the vulnerability was more severe than they claimed. The miss-identification of the issue looks to be caused in part by a competitor of ours, Patchstack, not properly reviewing a claim they received of a vulnerability in the plugin (which is a common occurrence). We looked in to that because at least one of our customers was using the plugin. [Read more]