Login

WordPress Plugin Vulnerability News

8 Apr 2025

WordPress Security Providers Failing to Warn About Vulnerability in Plugin Hacker Likely Targetting

Across various data we monitor we have been seeing what looks to be a hacker or hackers trying to find websites using the plugin Kubio Pro, by requesting this url: /wp-content/plugins/kubio-pro/readme.txt. At first we were puzzled as to what might explain that. There isn’t a plugin on the WordPress Plugin Directory with the slug kubio-pro, so that would mean either it likely was a plugin made available somewhere else or a backdoor disguised as a plugin. We looked for any information on the web about a vulnerability in a plugin with that slug or the name Kubio Pro and came up with nothing. The same is true for competing data sources for information on vulnerabilities in WordPress plugins.

WPScan, owned by Automattic, serves a not found page for the URL that would contain data on vulnerabilities for a plugin with that slug: [Read more]

7 Apr 2025

Actual Accident Leads to Unfixed Vulnerability Hacker is Likely Trying to Exploit in WordPress Plugin

On Friday we looked at a vulnerability likely being exploited in a WordPress plugin, where there is a fix, but WordPress hasn’t made it available. Like that situation, we had what appears to be a hacker probing for usage of the plugin Front End Users over the weekend by requesting the readme.txt file for the plugin. Like that previous situation, the plugin is closed on the WordPress plugin directory:

[Read more]

4 Apr 2025

Hacker Probing for WordPress Plugin That Wordfence Exposed Critical Vulnerability in Without Making Sure Fix Is Available

Yesterday, we had what would appear to be a hacker probing for usage of the WordPress plugin Checkout Mestres WP on our website by requesting the readme.txt file for it like this:

/wp-content/plugins/checkout-mestres-wp/readme.txt [Read more]

3 Apr 2025

6 WordPress Plugins With a Million or More Installs Still Using JavaScript Library That Was EOL’d at End of 2023

As we continue to expand the ability for our Plugin Security Scorecard to detect third-party libraries included with WordPress plugins, we continue to find that popular plugins are not handling their usage of those well. While preparing to notify a plugin developer that they were using a known insecure version of a library, we noticed another library in the plugin that we hadn’t yet added to the tool. That library being Vue.js. Version 2 of that reached end of life at the end of 2023. That means if there were a vulnerability or lesser security issue, then an update wouldn’t be released. (There is a scammy security provider claiming to provide further updates for it.)

While working on adding detection for the library, we found that 6 plugins with a million or more installs still contain version 2 of the library. All but one of them are not even using the latest version of version 2. That plugin is using the latest is CookieYes, which has a million installs and contains 2.7.16. [Read more]

18 Mar 2025

WordPress Plugin Developer Security Advisory: CleanTalk

One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing their plugins and others get them properly secured when alerted they haven’t done that. A smaller number of plugin developers either are unable or unwilling to properly secure their plugins. With the latter group, among the issues we have seen, are developers who have introduced new serious vulnerabilities that are substantially similar to vulnerabilities that they know have been exploited in their plugins.

In situations where we become aware of developers who have shown that inability or unwillingness to properly secure their plugin, we are releasing advisories to warn customers of our service and the wider WordPress community of the risk of utilizing those developers’ plugins. In addition to checking those posts on our website for information on those advisory, we provide access to the information in several other forms. That includes through the companion plugin for our service, even when not using the service, as well as through a web browser extension and through separate data accessible from our website. [Read more]

7 Mar 2025

WordPress Plugin Review Team Failing to Enforce Rule, Which is Leading to Popular Plugins Containing Vulnerable Libraries

As part of our work to expand the ability for our Plugin Security Scorecard to identify security issues in WordPress plugins, we have been increasing the number of third-party libraries it can detect being used in WordPress plugins and incorporating information on vulnerabilities the developers have disclosed in those. One place we have been doing that work is during security reviews of plugins. That led to us adding detection for the library jQuery UI to the tool and warning if plugins contain a version that has any of four vulnerabilities disclosed by the developer to have existed in older versions. In recent weeks, we have published several posts that partially focused on WordPress plugins that are using known vulnerable versions of the library. Those situations don’t paint a pretty picture when it comes to plugins usage of third-party libraries.

One of the plugins incorporated a vulnerable version of the library nearly 3 years after it was disclosed by the library’s developer to be vulnerable. [Read more]

4 Mar 2025

CleanTalk Claims to Vet WordPress Plugins for Insecure Dependencies While Their Security Plugin Contains Known Vulnerable Library

Last week we posted about the three most popular file manager plugins containing a vulnerable version of the jQuery UI library. The inclusion of the vulnerable version of that library was detected by our Plugin Security Scorecard. None of those plugins have been updated to address that yet, despite us notifying the developers a week ago. Over the weekend, another plugin was checked through the tool and identified to contain a vulnerable version of that. Incredibly, it is a security plugin, Security & Malware scan by CleanTalk:

[Read more]

3 Mar 2025

Plugin Security Scorecard February Results

February was the seventh full month our Plugin Security Scorecard was available. A fair amount of plugins were checked. A total of 86 plugins were checked last month. With 4 of those plugins being security plugins.

The overall results were not great. No plugins got an A+,  A or B+. Those three grades require the developer is taking proactive measures with security, so most plugin developers are not taking measures to provide the best security. 19 of the plugins did get a B, which requires that they are avoiding unnecessary security issues. [Read more]

26 Feb 2025

Developer of 1+ Million Install WordPress Plugin Warned Multiple Times of Known Vulnerable Library in Plugin and Still Hasn’t Addressed It

Yesterday, we covered our finding that the 1+ million install WordPress plugin WP File Manager contains a known vulnerable version of the JavaScript library jQuery UI. While following up on another element of that situation, we ran across the developer of the library having been warned publicly about that twice in the past. The developer responded both times that they would address it and then didn’t. That also means that they knew about the problem with another library and didn’t warn the developer of it.

The first notification was in April 2023 and the response from the developer then was: [Read more]