Login

WordPress Plugin Vulnerability News

22 Jan 2025

Plugin That Patchstack Is Claimed to Ensure Is Secure Contains an Additional Outdated Known Insecure Library

Last week we talked about two popular WordPress plugins that had been run through our Plugin Security Scorecard and identified as containing a rather out of date version of third-party libraries, which according to the libraries developers, contained a security issue. The libraries in question were different in the plugins, but it turns out they also have another library in common, where they are both using outdated known insecure versions. One of those is the 1+ million install SVG Support, where someone reported to the developer at the end of October that it was also using an outdated and known insecure version of the library DOMPurify. There still hasn’t been an update to the plugin to address that. More people have been reporting that issue. After seeing that, we started looking in to adding a check for DOMPurify to our Plugin Security Checker. Through that, we found a couple of fairly popular plugins are also still using older versions that the developer of the library is insecure.

We contacted the developer of one of those yesterday to let them know about the problem. The version they are using is subject to issues that were publicly disclosed by the developer of the library in September and October. There are not any topics on the support forum for the plugin about that, which is interesting considering the other plugin had multiple people reported it to the developer. [Read more]

22 Jan 2025

WordPress Plugins Can Include a Lot of Software That the Plugin’s Developer Doesn’t Have Any Connection To

How much do you consider a WordPress plugin developer’s handling of security of their plugins when choosing to use or not use a plugin? Probably not much, considering even if you wanted to, your access to information to make an informed assessment is limited. That is also backed up by the popularity of plugins from developers that have long track records of very public indifference, at best, to security. Depending on the plugin, you have to be worried about not just their handling of security, but the handling of security by developers of third-party libraries that are included in their plugin.

The amount of third-party in some plugins has surprised us. As part of working on our Plugin Security Scorecard since last year, we have been expanding the amount of libraries it can provide information on and warnings when there are publicly known security issues. A few days ago, the security plugin Shield Security was run through the tool again and more libraries were flagged to be included in our data set. There were 5 more libraries in for us to see about adding, that is on top of the 47 that were included in our dataset that are in the plugin. That is a lot of third-party software being included in a plugin originally called WordPress Simple Firewall. [Read more]

17 Jan 2025

Two-Factor Authentication (2FA) Won’t Stop an Attacker From Using Their Own WordPress Account to Engage in Malicious Activity

Two-Factor Authentication (2FA) Won’t Stop an Attacker From Using Their Own WordPress Account to Engage in Malicious ActivityTwo-factor authentication (2FA) can be useful for securing WordPress websites in certain circumstances, but it is often touted as being useful for things it isn’t needed for or capable of helping with. We often see it claimed that people should use it to protect against brute-force attacks against WordPress admin passwords. That is, despite those attacks continuing to not happen. Using a 2FA when you don’t need to can even create vulnerabilities that would allow an attacker access to your website, so understanding what it can and can’t do is important.

Another place 2FA isn’t the solution for is when an attacker is using their own WordPress account. That was part of the advice with a recent claim of a malware campaign against WordPress websites. The source for that was claiming that the hacker would cause a new WordPress account with the Administrator role to be created. They did that by causing someone already logged in as Administrator to make that happen without them taking any action. The source was then suggesting implementing 2FA to stop the attacker. [Read more]

16 Jan 2025

1+ Million Install WordPress Plugin Has Been Using an Outdated Known Insecure Version of a Library For Nearly 3 Years

Last year we created the Plugin Security Scorecard tool to help the WordPress community to have a better understanding of the security of plugins and hopefully to get better practices more widely implemented. As part of our work on that, we have been continuing to expand its capability to identify when plugins are using outdated and known insecure/vulnerable third-party libraries. That capability either doesn’t exist elsewhere in the community or isn’t being used. That is highlighted with a plugin that was checked through the plugin today.

The plugin checked was the 1+ million install plugin SVG Support, which had several issues identified: [Read more]

16 Jan 2025

Developer of 1+ Million Install WordPress Plugin Hasn’t Addressed All Known Vulnerabilities Despite Making That Claim

We release advisories warning about WordPress plugin developers who have a repeated track record of failing to handle security well. A reasonable question to ask is if a backward-looking determination is helpful or if past is not prologue with that. We ran across an example where the problem with a developer has continued. It also suggests that a developer who isn’t making sure to mark their plugins compatible might have additional issues. And finally, the situation is a reminder that you can’t rely on plugin developers to give you accurate information on the security of their plugin.

A post from earlier this month on the support forum of the 1+ million install plugin WP File Manager was asking about compatibility with WordPress 6.7. The plugin had not been marked to be compatible with that version despite it being released in November. Someone from the developer responded that “Although the documentation currently lists compatibility up to WordPress 6.6.2, rest assured that the plugin has been tested and is fully functional with newer releases, including WordPress 6.7.1.” WordPress sends out an email ahead of new releases asking for developers to test and then mark their plugins compatible. So the failure to do that is somewhat concerning. [Read more]

15 Jan 2025

WordPress Security Header Plugins Still Claiming to Provide Protection With Headers That Web Browsers Long Ago Stopped Supporting

In looking into complaints about the search functionality of the WordPress Plugin Directory recently, a common complaint we saw is that new plugins don’t get promoted. As part of an alternative search functionality we have been putting together, we decided to try to address that in part by including a new plugin after the first ten results for queries. When doing a search on “security,” that currently highlights a security headers plugin:

[Read more]

15 Jan 2025

Audrey Capital Employee Samuel “Otto” Woods Closed Discussion About WordPress Not Promoting Automattic’s Jetpack Plugin

Last week Automattic, the company from the head of WordPress Matt Mullenweg, announced they were going to contribute less to WordPress. In doing that, they complained that “we’ve observed an imbalance in how contributions to WordPress are distributed across the ecosystem, and it’s time to address this.” The credited author of the post is the Executive Director of WordPress.org. What was left unsaid was how Automattic benefits from WordPress over other companies because of its level of control over the project. We just ran into an instance where an attempt to address that wasn’t allowed predating the current situation with WordPress.

Last week, we wrote about how an Automattic employee who had access to non-public data on what top search terms for the WordPress Plugin Directory and their admission to changing the search algorithm for that to promote Automatic’s Jetpack plugin. That isn’t the only way that Jetpack is promoted in the WordPress Plugin Directory. From the admin interface of WordPress, going to the page to add a new plugin brings up a set of Featured plugins: [Read more]

14 Jan 2025

Journalists Once Again Focus on WordPress While Ignoring That Sucuri Failed to Protect and Secure Their Customers’ Websites

While WordPress has very real security problems, often news coverage related to hacked WordPress websites involves a focus on WordPress, while ignoring the more pertinent problem, security companies are scamming their customers. Yesterday, a story ran in one security “news outlet” titled “WordPress Skimmers Evade Detection by Injecting Themselves into Database Tables.” Again, that was yesterday. For those familiar with hacked WordPress websites or hacked website using other software, this is a bizarre headline. Malware stored in a database isn’t a new phenomenon, nor was what they are describing something that should evade detection. Several other “news outlets” included in Google News ran similar stories. The sole source for all those stories was a blog post by Sucuri.

It was fairly standard for Sucuri, they once again admitting that one of their customers got hacked. That is despite claiming that their service protects websites from being hacked: [Read more]

14 Jan 2025

Matt Mullenweg Will Again Be “Community Member” Ultimately Responsible for WordPress Release With Version 6.8

Recently the head of WordPress, Matt Mullenweg, was complaining about the time and energy he was having to expend on the project. If this wasn’t performative, you would reasonably expect that he would hand off work to others. One place that could happen is with the Release Lead role for next release of WordPress. That role is supposed to be the “community member ultimately responsible for” a release of WordPress. But in reality, going back through the last 15 releases, he had that role 12 times. Two employees of his company, Automattic, handled the other two. On Friday afternoon, though, it was announced that he again would be taking on that role.

From a security perspective, having a new release lead would be an opportunity for someone who might allow known security issues with WordPress and fairly easy to implement security improvements to finally be implemented. That unfortunately hasn’t been of interest to Matt Mullenweg and those other Automattic employees. Hopefully, not because of the business interest in Automattic selling security solutions. [Read more]