One of the ways we make sure that customers of our service have the best information on vulnerabilities in WordPress plugins they use is by checking to see if popular ones have been closed on the Plugin Directory contain security vulnerabilities, as we have seen that it looks like hackers were already doing that. Yesterday the plugin Advanced CF7 DB (Advanced Contact form 7 DB), which has 50,000+ active installations, was closed. No reason has been given for that, but there are multiple security issues in that. Some of the security issues are ones that involve security failures that are related to a vulnerability we contacted the developer about in August of last year and never got any reply. A security vulnerability that currently exists in the plugin is something that we found in August of 2017 and the developer fixed at the time, only to undo that fix later.

If that all doesn’t make the security of WordPress plugins sound bad enough, consider that in May a major web security company Sucuri somehow missed all of that and instead claimed that there was a vulnerability in the plugin that didn’t exist. [Read more]