To make it easy for those without a lot of technical skills to check if plugins are impacted by the authenticated option update that exist in older versions of the Freemius library we have updated our Plugin Security Checker so that when plugins that include a vulnerable version of that are checked there will be a warning about that.
When it comes to handling disclosure of vulnerabilities we think the best approach isn’t either of the extremes, responsible disclosure or full disclosure. You might actually call responsible disclosure, irresponsible disclosure, since it could involve never disclosing a vulnerability if it isn’t fixed, which is a bad idea when it shouldn’t be assumed that others can’t independently find the same vulnerability someone else found and they might be someone that is going to exploit it. Beyond the obvious issues that can come with full disclosure, there are other real world problems that it can cause. Our approach up until now has been what we refer to as reasonable disclosure, which in our case tries to balance the need to notify our customers, who are paying to be notified about vulnerabilities in WordPress plugins, of vulnerabilities in a timely manner as well getting vulnerabilities fixed before disclosure happens as much as possible.
When we introduced our Plugin Security Checker, which does limited automated security checks of WordPress plugins, in late October, one of the future enhancements we mentioned we were looking into was making the results available through our service’s companion plugin. After thinking it over we decided it would be better to create a separate plugin for that, so that way websites that use that the existing plugin that don’t have an interest in that functionally are not increasing the amount of code on their website and alongside that, the increased security risked that creates (that is something that makers of a lot security plugins look to have not considered in throwing in lots of different functionality in a single plugin, maybe not surprisingly there have been plenty of security vulnerabilities found in security plugins).
Through our main business we have offered pro bono service to human rights groups for years and we had recently been thinking about offering this service in that fashion as well. Then we noticed that Human Rights Day would be coming up (it happens on Sunday), which seemed like a great reason to go ahead and launch that.
Last month we introduced something new to our service, we are proactively monitoring changes to the WordPress plugins to see if they include some easy to spot vulnerabilities in them. We currently are restricting that to the most serious vulnerabilities due to amount of time it requires to do even that (if we had more customers we could justify expanding that further). One of the types of vulnerabilities we are monitoring for are PHP object injection vulnerabilities, as that is something that we have seen hackers exploiting on a fairly wide scale in the past. That has lead to us having to review more possible instances of that type of vulnerability and that in turn lead to us coming up with a simpler method to test if there is in fact an exploitable vulnerability. Seeing as this type of vulnerability looks to be under-noticed and our solution is so simple, we decide to share it.
Through our main business we recently introduced a service to take over and maintain WordPress plugins that have been abandoned by their previous developers. As part of getting the plugin up to snuff when taking it over, we will do a security review of the plugin like the ones we already do as part of this service.
While WordPress handles security fairly well, there are plenty of problems that we have seen in the work have done that ultimately lead to this service and then in doing the work for to this service, including ones that are leading to websites being hacked that shouldn’t be and that make our work to actually get the security of plugins improved unnecessarily harder. Some of these problems are getting worse, so we have decided to stop doing work that people on the WordPress side should have been doing themselves all along until they present concretes plans to fix two of the many issues. In the short term this will leave those not using our service with worse security, but if WordPress chooses to start moving in the right direction then security can be improved from where it is now. We would then love to work with them to improve other issues, as there are lots of areas were small changes would likely lead to significant improvement.