24 May

Closures of Very Popular WordPress Plugins, Week of May 24

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

[Read more]

24 May

Internet Explorer Reflected Cross-Site Scripting (XSS) Vulnerability in Analytics Code Integration (Analytics)

As part of our keeping track of the possible closure of popular WordPress plugins due to security vulnerabilities, so that we can warn customers of our service ahead of hacker exploiting vulnerabilities those closures might shine a light on, we were notified that the plugin Analytics Code Integration (Analytics), which has 30,000+ installs, was closed today. No reason has been given for the closure. There was a claim 8 months ago that there were security issues in the plugin and the plugin hasn’t been updated since that occurred. In quickly looking over the plugin we found a very minor vulnerability, what we refer to as an Internet Explorer reflected cross-site scripting (XSS) vulnerability.

[Read more]