Login

WordPress Plugin Vulnerability News

25 Apr 2025

Developers of Popular WordPress Security Plugins Make False Claim About Who Created Another Popular Plugin

Recently there was a change made with the WordPress Plugin Directory that should shed more light on who is actually behind WordPress plugins. There are problems with that, which led us to noticing a clearly wrong claim made about who is the creator of a WordPress plugin with 300,000 installs.

With the even more popular Really Simple Security plugin, which has 4+ million installs, the plugin is listed on the plugin directory as being by Really Simple Plugins: [Read more]

24 Apr 2025

WordPress Security Plugin Claims to Detect Vulnerabilities in Plugins, but Doesn’t Have That Capability

As part of a very common theme when it comes to WordPress, we found that the developer of a security solution isn’t being honest. In this case, the developer of a security plugin is claiming it detects vulnerabilities in plugins even though it clearly doesn’t.

The plugin is Safe Sites and here are the relevant claims in the WordPress Plugin Directory listing for the plugin about checking for vulnerabilities: [Read more]

24 Apr 2025

WordPress Plugin Developer Security Advisory: StellarWP

One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing their plugins and others get them properly secured when alerted they haven’t done that. A smaller number of plugin developers either are unable or unwilling to properly secure their plugins. With the latter group, among the issues we have seen, are developers who have introduced new serious vulnerabilities that are substantially similar to vulnerabilities that they know have been exploited in their plugins.

In situations where we become aware of developers who have shown that inability or unwillingness to properly secure their plugin, we are releasing advisories to warn customers of our service and the wider WordPress community of the risk of utilizing those developers’ plugins. In addition to checking those posts on our website for information on those advisory, we provide access to the information in several other forms. That includes through the companion plugin for our service, even when not using the service, as well as through a web browser extension and through separate data accessible from our website. [Read more]

23 Apr 2025

Developer of Really Simple Security WordPress Plugin Failed to Fully Address CSRF Vulnerability

In January, the developers of the 4+ million install WordPress plugin Really Simple Security vaguely disclosed they had attempted to fix a vulnerability in the plugin. That was done through one of the changelog entries for version 9.2.0, “Fix: Added nonce check to certificate re-check button.” That is a reference to addressing a cross-site request forgery (CSRF) vulnerability. Checking on that months later, we found that the fix had been incomplete and that competing vulnerability data sources had failed to properly vet this and claimed that the issue was fully addressed. That includes the data source used by Really Simple Security, so their own users have not been warned the plugin is still vulnerable.

Looking at the changes made in that version, the changelog references a change made in the file /class-admin.php. That file is run during admin_init, which makes it accessible to anyone: [Read more]

22 Apr 2025

WordPress Plugin Security Review: Popup Builder

For our 47th security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin Popup Builder.

If you are not yet a customer of the service, once you sign up for the service as a paying customer, you can start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service. [Read more]

21 Apr 2025

WordPress Plugin Security Review: WP Time Capsule

For our 46th security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin WP Time Capsule.

If you are not yet a customer of the service, once you sign up for the service as a paying customer, you can start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service. [Read more]

21 Apr 2025

It Doesn’t Look Like WordPress Has Had Proper Security Review Since at Least 2009

We focus on the security of WordPress plugins, so we haven’t ventured much in to the security of the core WordPress software. You would reasonably expect that others have. But what we found in just a glancing check at things suggests that either a proper security review of the software hasn’t happened since at least the end of 2009 or the issues identified were not addressed.

Missing Security Hardening

Recently it was announced that WordPress was going to be paring down the number of new major releases. That seems to be caused by a combination of only Automattic seeming all that interested in the block editor (Gutenberg) and Automattic’s reduced involvement in WordPress. (Their reduced role could be because of their poor financial state or because the head of it (who is also the head of WordPress) is still trying to blackmail a competitor.) [Read more]

14 Apr 2025

Wordfence’s Unethical Behavior Caused Weeks Long Delay in Fix of Serious Vulnerability

Last week, once again, supposed security journalists and security provider Patchstack were spreading misinformation about a vulnerability in a WordPress plugin. They claimed a vulnerability had been exploited hours after it was disclosed. In reality, there were exploit attempts, but no evidence of any exploitation. And that actually happened a day or a week after the vulnerability was disclosed, depending on what you consider as disclosure.

That a plugin from the developer of the plugin had a vulnerability that would receive interest from hackers isn’t a surprise, as it is a developer that has a long track record of poor handling of security. We recommended not using their plugins in January 2024, unless they could show they had gotten a better handle on security. As we noted in January of this year, they clearly hadn’t gotten a better handle on things by then. With this vulnerability, they did fix it the same day they were informed of it. Unfortunately, the vulnerability was fixed weeks after it should have been, as the notification happened weeks after it should have been. That was because an unethical security provider paid the discoverer to not report it to the developer. [Read more]

9 Apr 2025

Plugin Security Scorecard March Results

March was the eighth full month our Plugin Security Scorecard was available. A fair amount of plugins were checked. A total of 140 plugins were checked last month. With 8 of those plugins being security plugins.

The overall results were not great. No plugins got an A+, A or B+. Those three grades require the developer is taking proactive measures with security, so most plugin developers are not taking measures to provide the best security. 36 of the plugins did get a B, which requires that they are avoiding unnecessary security issues. [Read more]