Login

WordPress Plugin Vulnerability News

12 Sep 2024

Patchstack’s CEO Indirectly Admits Their Vulnerability Disclosure Program (VDP) Program is Unethical

Earlier this year when we were trying to figure how to contact the developer of Kadence Blocks plugin, which is a part of StellarWP, to alert them they had failed to fix a vulnerability in the plugin, we found their website had a page titled, “Responsible Security Disclosure Policy for KadenceWP.” That first paragraph of the page starts out by saying, “it is a standard practice in security research to responsibly and privately disclose discovered vulnerabilities to the software vendor prior to public release. This is even more critical when we work together to protect users in an open source space such as the WordPress community.” That sounds reasonable enough. (Responsible disclosure isn’t necessarily all that responsible, but that is an issue for another day.)

From there, they offer to help get the contact information for developers whose solutions extend theirs: [Read more]

11 Sep 2024

WordPress Continues to Fail to Properly Address Malicious Code Loaded on Thousands of Websites

In December 2022, an update was released for the WordPress plugin Bulk Delete Comments, which caused a JavaScript file with malicious code from a website to be loaded on to the admin area of websites using the plugin. That was immediately noticed by users of the plugin. The plugin was subsequently closed on the WordPress Plugin Directory. The plugin was recently reopened without the issue being properly resolved. The situation highlights multiple known problems that are not being addressed by WordPress.

The update that introduced the issue was version 1.4, and that is still the version available now: [Read more]

10 Sep 2024

Positive Reviews of WordPress Security Plugin Are Contradicted by Falling Install Count

In June of last year, the WordPress security plugin Solid Security had 1+ million active installations according to data on the WordPress website. Currently, the install count is down to 800,000+ installs. That is a pretty dramatic drop in the install count of the plugin in 15 months. If the bolded claim at the top of the plugin’s description on the WordPress Plugin Directory, “Reduce your WordPress website’s risk to nearly zero with Solid Security”, was true, that drop would be hard to believe. That claim isn’t true.

With the install count dropping so dramatically, you might reasonably expect that there to be plenty of negative reviews of the plugin as well. That isn’t the case. Here are 30 most recent reviews: [Read more]

9 Sep 2024

WordPress Plugin Review Team Returns Another Known Vulnerable Plugin to Plugin Directory

We are now over a year into a largely new team running the WordPress Plugin Directory. On one key issue, the new team is failing just like the old team. That is allowing known vulnerable plugins back in to WordPress Plugin Directory without the vulnerability being fixed.

This time the plugin is OSM, which has 10,000+ installs. [Read more]

6 Sep 2024

WordPress Plugin Security Review: Download Monitor

For our 45th security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin Download Monitor.

If you are not yet a customer of the service, once you sign up for the service as a paying customer, you can start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service. [Read more]

5 Sep 2024

WordPress Plugins With at Least 150,000+ Installs Using Versions of Third-Party Library With Recently Disclosed Security Vulnerabilities

As we work to expand the capabilities of our new Plugin Security Scorecard, one of our focuses is providing better security information on libraries included in plugins. That is already helping to identity WordPress plugins that are using libraries with known vulnerabilities. Earlier this week, we noted that a plugin with 600,000+ installs was still using a vulnerable version of library 17 months after an update was released. In that situation, we found that the developer had not released a security advisory through GitHub project for the vulnerability. With another library, the developer recently released a couple of advisories and we found that several fairly popular plugins are using an affected version of the library.

The library is PhpSpreadsheet, and the advisories were released on August 28. The plugins are all using version 1.x of the library and update for that was released on September 2. [Read more]

4 Sep 2024

It’s Very Common For Libraries Used in WordPress Plugins to Not Have a Security Policy on GitHub on How to Report Security Issues

Yesterday, we noted in a post that a third-party library used in a very popular WordPress plugin didn’t have any listed security advisories in its GitHub project despite the developing having acknowledge that a vulnerability had been fixed. What we also noted in passing was that there also wasn’t a security policy provided for the library, which would explain how to report other security issues in the library. You can see that in this screenshot for the library’s Security tab on GitHub:

[Read more]

4 Sep 2024

WordPress Plugin Security Review: Profile Builder

For our 44th security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin Profile Builder.

If you are not yet a customer of the service, once you sign up for the service as a paying customer, you can start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service. [Read more]

3 Sep 2024

Plugin Security Scorecard August Results

August was the first full month our Plugin Security Scorecard was available. A fair amount of plugins were checked. A total of 144 plugins were checked last month. With 35 of those plugins being security plugins.

As can be seen below, the results for security plugins were not good. With 24 of the 35 plugins getting a D+ or below. That comes from a combination of different issues. Some of those plugins have security issues, including vulnerabilities. Some come from developers that have had repeated issues with vulnerabilities and are not addressing the underlying problems. Most security plugins are failing to implement best practices for security, even when they are running into the problems those cause. Then there is the issue of the plugin developers making security claims that are at least not supported with evidence (and often couldn’t be supported with evidence, since they are not true). [Read more]

3 Sep 2024

600,000+ Install WordPress Plugin MetaSlider Still Using Vulnerable Version of Library 17 Months Later

One of the expanding capabilities of our new Plugin Security Scorecard is the ability to identify software libraries included in WordPress plugins. From there, if there are known vulnerabilities in those libraries in the plugins, that can be warned about when plugins are graded. We can also go back and check if previous checks identified if plugins contained a vulnerable version of those libraries. As we found when adding a library to that checking last week, there is a need to better monitor this situation. That is because we found that a plugin with 600,000+ installs, MetaSlider, is still using a vulnerable version of the AppSero Client library. The vulnerability was fixed 17 months ago. We reached out the developer of that plugin last week as well. They said a fix will be included in the next release of the plugin, which they said might come out this week. (It hasn’t as of us publishing this post.)

The situation highlights other areas where security could be improved. [Read more]