Three years ago, a prominent WordPress security provider claimed that increasing numbers of vulnerabilities claimed to be discovered in WordPress plugins was caused not by more vulnerabilities being introduced in to them, but by better detection of old vulnerabilities. And that plugins were therefore getting more secure. It was a problematic claim to make at the time, as among other reasons, their data source simply claims that vulnerabilities have existed in all versions of a plugin. (Their data source also counted a lot of fake claims of vulnerabilities.) It continues to be problematic, as the claimed number of vulnerabilities being discovered keeps increasing.

The reality here is that many developers of WordPress plugins are continuing to introduce new vulnerable code in to their plugins. WordPress could take actions to significantly reduce that, but they are not. One method to limit the damage that those two problems cause is detecting vulnerabilities being introduced in to plugins. One method we have for doing that for our customers is a form of AI, machine learning. We now run all changes being made to plugins used by our customers through a machine learning based system trained to try to identify when vulnerabilities are introduced in those updates. That flagged a recent update to the 100,000+ install plugin Modula. In reviewing the changes made, we found that the developer had failed to include a basic security check in new code, leading to a cross-site request forgery (CSRF) vulnerability. Existing code looks to be similarly vulnerable. [Read more]