Recently the WordPress Plugin Directory was changed so that the pages for plugins that have been closed remain visible (previously they were removed). One of the impacts, for better and worse, is that you can see how many websites are still using those plugins. Last week we discussed how one plugin that was removed over a year ago due to a security issue that was being exploited, was still being used on fairly significant number of the websites that used it before that occurred. We went to look into that after we saw what looked to be a hacker probing for the usage of the plugin again.
We think that WordPress does a pretty good job when it comes to security, but there is a glaring problem we have run across, the handling of unfixed vulnerabilities in WordPress plugins. When a vulnerability in a plugin is reported to the Plugin Directory, unless it is very minor, the plugin is pulled pending a fix. That prevents anyone who isn’t already using the plugin from installing it and making themselves vulnerable, but for everyone that already has it installed they will remain vulnerable until the vulnerability is fixed. A lot of times that happens fairly quickly after the plugin is removed, but in other cases it takes a long time or never happens. For that reason we first suggested that websites that have removed plugins installed should alert over four and half years ago. At the time we proposed this on the Ideas section of wordpress.org and shortly there after it was indicated this was being worked on. By earlier this year it was indicated that they cannot provide this, not for some technical reason, but because “IF an exploit exists and we publicize that fact without a patch, we put you MORE at risk.”. We previously discussed that this really doesn’t make sense and we just ran in to another example that we think provides further evidence why this is bad stance.