Login

Tag Archives: Plugin Security Scorecard

16 May 2025

Plugin Security Scorecard April Results

April was the ninth full month our Plugin Security Scorecard was available. A fair amount of plugins were checked. A total of 77 plugins were checked last month. With 5 of those plugins being security plugins.

The overall results were not great. Only one plugin got an A. No plugins got an A+ or B+. Those three grades require the developer of the plugin to be taking proactive measures with security, so most plugin developers are not taking measures to provide the best security. 16 of the plugins did get a B, which requires that they are avoiding unnecessary security issues. [Read more]

15 May 2025

600k WordPress Backup Plugin Claiming to Be “Easiest Way to Protect Your Website” Contains Decade Out of Date Insecure Library

Earlier this week someone checked the 600,000+ install WordPress plugin BackWPup through our Plugin Security Scorecard. That flagged a variety of issues including code that isn’t properly secured against reflected cross-site scripting, usage of security functions in a way that they provide no protection, and usage of an outdated version of a third-party library that contains five developer disclosed security issues:

The oldest of those security issues in the library was disclosed in May 2022. So the developer hasn’t updated the library in at least 3 years. It turns out it is even longer than that, as the version in use is 3.8.1, which was superseded in March 2014. [Read more]

24 Apr 2025

Snyk is Claiming That Select2 JavaScript Library Contained XSS Vulnerability, It Was Actually in It’s Documentation

As part of our continuing work on our Plugin Security Scorecard, we are working to expand the amount of security information we can provide on third-party libraries in WordPress plugins. One problem you run into trying to do something like that, is like with WordPress plugins, there is plenty of misinformation out there. That is what appears to be the case with a claim of a vulnerability in the Select2 library made by security provider Snyk.

We recently noticed that a WordPress plugin had a changelog indicating that the library had been updated to address an XSS (cross-site scripting) issue. Checking the page that shows security advisories for the library on GitHub, there are no advisories. So either the developer hadn’t create an advisory for the issue or there wasn’t an issue. [Read more]

9 Apr 2025

Plugin Security Scorecard March Results

March was the eighth full month our Plugin Security Scorecard was available. A fair amount of plugins were checked. A total of 140 plugins were checked last month. With 8 of those plugins being security plugins.

The overall results were not great. No plugins got an A+, A or B+. Those three grades require the developer is taking proactive measures with security, so most plugin developers are not taking measures to provide the best security. 36 of the plugins did get a B, which requires that they are avoiding unnecessary security issues. [Read more]

3 Apr 2025

6 WordPress Plugins With a Million or More Installs Still Using JavaScript Library That Was EOL’d at End of 2023

As we continue to expand the ability for our Plugin Security Scorecard to detect third-party libraries included with WordPress plugins, we continue to find that popular plugins are not handling their usage of those well. While preparing to notify a plugin developer that they were using a known insecure version of a library, we noticed another library in the plugin that we hadn’t yet added to the tool. That library being Vue.js. Version 2 of that reached end of life at the end of 2023. That means if there were a vulnerability or lesser security issue, then an update wouldn’t be released. (There is a scammy security provider claiming to provide further updates for it.)

While working on adding detection for the library, we found that 6 plugins with a million or more installs still contain version 2 of the library. All but one of them are not even using the latest version of version 2. That plugin is using the latest is CookieYes, which has a million installs and contains 2.7.16. [Read more]

4 Mar 2025

CleanTalk Claims to Vet WordPress Plugins for Insecure Dependencies While Their Security Plugin Contains Known Vulnerable Library

Last week we posted about the three most popular file manager plugins containing a vulnerable version of the jQuery UI library. The inclusion of the vulnerable version of that library was detected by our Plugin Security Scorecard. None of those plugins have been updated to address that yet, despite us notifying the developers a week ago. Over the weekend, another plugin was checked through the tool and identified to contain a vulnerable version of that. Incredibly, it is a security plugin, Security & Malware scan by CleanTalk:

[Read more]

3 Mar 2025

Plugin Security Scorecard February Results

February was the seventh full month our Plugin Security Scorecard was available. A fair amount of plugins were checked. A total of 86 plugins were checked last month. With 4 of those plugins being security plugins.

The overall results were not great. No plugins got an A+,  A or B+. Those three grades require the developer is taking proactive measures with security, so most plugin developers are not taking measures to provide the best security. 19 of the plugins did get a B, which requires that they are avoiding unnecessary security issues. [Read more]

25 Feb 2025

Popular WordPress File Manger Plugins Contain Third-Party Library With Multiple Vulnerabilities

Last week three WordPress file manager plugins were checked through our Plugin Security Scorecard tool. An issue identified by the tool in each plugin was flagged for us to review. That issue being that the plugin’s contained a known vulnerable library. What was curious was is that each plugin was flagged for the exact same vulnerabilities in the same library. Here is the relevant part of the results for the 1+ million install WP File Manager:

[Read more]

11 Feb 2025

WordPress Plugin Developers’ Assurances Their Plugins Are Secure Continue to Not Bear Out

We recently ran across a WordPress plugin developer claiming that a security partner was ensuring their plugin was secure. We had run across the plugin because the developer had continued to use a known vulnerable third-party library for 21 months. It turned out to not be the only known vulnerable library in the plugin. There also is an additional unfixed security issue caused by the security partner, Patchstack, failing to make sure a vulnerability was properly fixed or to provide the information needed for others to vet their false claim it was fixed. They are hardly the only plugin developer claiming that their plugins are secure. Can you trust their claims?

One way to try to determine the answer to that would be to look at the evidence they providing to back the claims up. But they don’t provide any. For example, the developer of the 80,000+ install WP ULike provides this information in a FAQ in response to the question “Is WP ULike secure?”: [Read more]

10 Feb 2025

WordPress Plugin Includes Version of Third-Party Library That Was Publicly Known to Be Vulnerable Years Before Plugin Was Even Released

As part of providing a more comprehensive view of the handling of the security of WordPress plugins through our Plugin Security Scorecard tool, we have been expanding the number of third-party libraries it can detect in plugins. If developers of those libraries disclose security advisories on GitHub for those libraries, we incorporate them into the results of the tool as well. Last week we added detection for the jQuery UI JavaScript library. It has already had someone run a plugin through the updated tool that caught the plugin containing a version of a library that contains multiple vulnerability according to the developer:

[Read more]