Login

WordPress Plugin Vulnerability News

25 Feb 2025

Popular WordPress File Manger Plugins Contain Third-Party Library With Multiple Vulnerabilities

Last week three WordPress file manager plugins were checked through our Plugin Security Scorecard tool. An issue identified by the tool in each plugin was flagged for us to review. That issue being that the plugin’s contained a known vulnerable library. What was curious was is that each plugin was flagged for the exact same vulnerabilities in the same library. Here is the relevant part of the results for the 1+ million install WP File Manager:

[Read more]

21 Feb 2025

The Good and Bad of Unexplained Change to WordPress Plugin Directory That Exposes Owners of Plugins

Yesterday, the team running the WordPress Plugin Directory announced they had recently made a significant change to the directory. No explanation was given for why it was done. Nor why it was done without warning or discussed beforehand. The change has some positive benefits, but also some apparent downsides. The change is what is shown as the author of a plugin. Here is an example of the change. The 400,000+ install plugin NextGEN Gallery used to be listed as being by Imagely:

[Read more]

20 Feb 2025

Backdoor Code Routes Malicious Actions Through WordPress REST API

Website hackers are not exactly known for their sophistication, other than in the misleading portrayals put forward by too many security companies and security journalists. But sometimes malicious actors can do things that are more sophisticated. In the latest instance of that we ran across, they also screwed up. Checking on a website today, we found that there was visible code showing on the top of the website:

[Read more]

14 Feb 2025

Hacker Probing For WordPress Plugin With Many Vulnerabilities That Wordfence and Other Providers Incorrectly Claimed Were Fixed Last Year

Today we saw what appeared to be a hacker probing for usage of the WordPress plugin WP Compress on our websites. The probing was done by requesting a file from the plugin if the plugin had existed on our website, /wp-content/plugins/wp-compress-image-optimizer/readme.txt. We don’t use that plugin on that website or any of them. So what might explain a hacker’s interest in the plugin? Last year the WordPress security provider Wordfence claimed that a vulnerability had been fixed in the plugin, of a type that sounds like it could explain a hacker’s interest. Here is part of their description:

This makes it possible for authenticated attackers, with subscriber-level permissions and above, to edit plugin settings, including storing cross-site scripting, in multisite environments. [Read more]

11 Feb 2025

WordPress Plugin Developers’ Assurances Their Plugins Are Secure Continue to Not Bear Out

We recently ran across a WordPress plugin developer claiming that a security partner was ensuring their plugin was secure. We had run across the plugin because the developer had continued to use a known vulnerable third-party library for 21 months. It turned out to not be the only known vulnerable library in the plugin. There also is an additional unfixed security issue caused by the security partner, Patchstack, failing to make sure a vulnerability was properly fixed or to provide the information needed for others to vet their false claim it was fixed. They are hardly the only plugin developer claiming that their plugins are secure. Can you trust their claims?

One way to try to determine the answer to that would be to look at the evidence they providing to back the claims up. But they don’t provide any. For example, the developer of the 80,000+ install WP ULike provides this information in a FAQ in response to the question “Is WP ULike secure?”: [Read more]

10 Feb 2025

WordPress Plugin Includes Version of Third-Party Library That Was Publicly Known to Be Vulnerable Years Before Plugin Was Even Released

As part of providing a more comprehensive view of the handling of the security of WordPress plugins through our Plugin Security Scorecard tool, we have been expanding the number of third-party libraries it can detect in plugins. If developers of those libraries disclose security advisories on GitHub for those libraries, we incorporate them into the results of the tool as well. Last week we added detection for the jQuery UI JavaScript library. It has already had someone run a plugin through the updated tool that caught the plugin containing a version of a library that contains multiple vulnerability according to the developer:

[Read more]

10 Feb 2025

WordPress Plugin Security Review: AspireUpdate

As part of the ongoing situation between Matt Mullenweg and the WordPress community, there has increased concern about various aspects of WordPress. One area of concern is the continued ability to get updates for WordPress software from the WordPress update infrastructure. That led to the release of a new plugin, AspireUpdate, as part of a larger project to provide alternative infrastructure, AspirePress. As part of our focus on supporting efforts to reform WordPress, we decided to do a security review of the plugin.

If you want a security review of plugins you use, when you become a paying customer of our service, you can start suggesting and voting on plugins to get security reviews from us. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our main service. [Read more]

4 Feb 2025

Patchstack Isn’t Actually Patching Vulnerabilities

You would reasonably think that a security company named Patchstack would be focused on patching security vulnerabilities, but it turns out they are not. In fact, they are actually making it harder for vulnerabilities to get patched.

If you head over to Patchstack’s homepage, they currently claim at the top of the page to offer the “fastest protection for WordPress security vulnerabilities” and claim to have
9,100+ virtual patches to protect you:” [Read more]

3 Feb 2025

CVE Actually Does Trust Open Source Implicitly and That Is a Problem

Last week the Security Developer-in-Residence at the Python Software Foundation Seth Michael Larson said he loved an article from Open Source Security. The article touched on an important issue with the CVE system, though, coming from an author, Anchore’s Josh Bressers, who seemingly has no idea what he is talking about. CVE is a system that is supposed “to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities”, with “one CVE Record for each vulnerability in the catalog.” What CVE actually is is a prime example of how much of the security industry is a scam. As the catalog is filled with information that is often misleading to outright false and lacks the basic information needed to make the information useful or to vet it.

The post at Open Source Security claimed that something being done by the Node.js project “is against the CVE rules” and that “[t]his is important because it can frame some of the discussion we see.” Those claims are not backed up by anything in the post or what is linked to in the post. The reality here is even if something is against the rules of CVE, the people running it have been very clear in their actions they don’t care if it is done by something they allow to submit information directly in to the catalog. [Read more]

3 Feb 2025

Plugin Security Scorecard January Results

January was the sixth full month our Plugin Security Scorecard was available. A fair amount of plugins were checked. A total of 148 plugins were checked last month. With 7 of those plugins being security plugins.

As can be seen below, the results for security plugins were not good. With the best grade being a D+. That comes from a combination of different issues. Some of those plugins have security issues. Some come from developers that have had repeated issues with vulnerabilities and are not addressing the underlying problems. Most security plugins are failing to implement best practices for security. Then there is the issue of the plugin developers making security claims that are at least not supported with evidence (and often couldn’t be supported with evidence, since they are not true). [Read more]