As part of making sure the customers of our service are getting the best information on vulnerabilities in WordPress plugins they may be using we monitor for hackers probing for usage of plugins on our website and then try to figure out what the hackers might be looking to exploit. A week ago that led to us running across two plugins with unfixed vulnerabilities. One of those plugins was closed on the WordPress Plugin Directory on May 9. In the past day we had saw a hacker probing for another plugin that was closed on the same day, Real Estate Manager – Property Listing and Agent Management.

What we found when went to look to see if there were any vulnerabilities in this plugin was nearly identical to what we found with the previous one, making it seem likely that they were both closed due to security issues discovered by the same party. Closing them and doing nothing else isn’t a solution, as what has happened with these plugin is yet another reminder of. This is a solvable problem, but the people currently running the WordPress Plugin Directory seem to be incapable of handling or even acknowledging the problem. One of the six people on the team running it, for example has claimed there is never a need to remove closed plugins: [Read more]