Login

Tag Archives: Health Check & Troubleshooting

Plugin Security Scorecard Grade for Health Check & Troubleshooting

Checked on July 31, 2024
B+

See issues causing the plugin to get less than A+ grade

31 Jul 2024

11 Month Wait for Security Fix for WordPress Plugin Highlights Value of Checking if Developers Are Supporting Plugins

In August of last year, we found that an update to a plugin coming directly from WordPress, Health Check & Troubleshooting, had introduced a couple of minor security issues. We reported those to the developers through the plugin’s GitHub project at the time. They finally responded and addressed those last week. That isn’t a good response time, but isn’t all that surprising considering the lack of much support for the plugin, despite having 300,000+ active installs. That lack of support ties into something we are now doing with our new Plugin Security Scorecard.

With our Plugin Security Scorecard, we are trying to provide an at a glance way to provide a reasonable idea of the handling of security with a WordPress plugin. As we noted last week, an inspiration for that is the OpenSSF Scorecard, which tries to do a similar thing across a much wider spectrum of software. What that other scorecard seems to lack is evidence that the components of the score (and therefore the overall score) are actually useful in assessing the security of software. With our own solution, we are interested in making sure its grading is based on useful information. That brings us back to Health Check & Troubleshooting. [Read more]

8 Aug 2023

Update to WordPress’ Own Plugin With 300,000+ Installs Introduces Insecure Code

In addition to tens of thousands of third-party plugins for WordPress, WordPress itself is the developer of plugins. Last year we spotted a very exploitable vulnerability being introduced in to one of those, which involved a failure to implement basic security. That was introduced in to the plugin by an employee of the head of WordPress. You would hope that was an aberration and that WordPress would be implementing best practices for developing plugins. That doesn’t appear to be the case based on security issues just introduced in to one of those plugins, Health Check & Troubleshooting, which has 300,000+ installs.

The GitHub project for the plugin has this information on “reporting security issues“: [Read more]

14 Jan 2019

Vulnerability Details: Authenticated Arbitrary File Viewing in Health Check & Troubleshooting

According to Matt Mullenweg one of the projects for WordPress in 2019 is “Merging the site health check plugin into Core, to assist with debugging and encouraging good software hygiene.” What seems like bad software hygiene would be to merge in software which hasn’t had a basic security review to another piece of  software used on millions of websites, which brings us to one of the changelog entries for the latest version of that plugin:

[Read more]