19 Jan 2024

Eight Months In, Really Simple SSL’s Plugin Vulnerability Data is Claiming That Unfixed Vulnerabilities Have Been Fixed

In May of last year, the 5+ million install WordPress plugin Really Simple SSL added a feature for detection of known vulnerabilities in WordPress plugins. That seems to be unrelated to what is supposed to be the focus on the plugin. A WP Tavern story about that provided an explanation from the developer on why that should be in this plugin:

“We figured that with our reach we could impact security on the web as a whole, by adding features in order of impact on security,” Hulsebos said. “So vulnerabilities, after hardening features specific to WordPress, was next. [Read more]

5 Jan 2024

Confusion Over Proper Usage of esc_url_raw() Includes Developers of 1+ and 5+ Million Install WordPress Security Plugins

While working on a security review of a WordPress plugin, we ran across miss-usage of a WordPress security function, esc_url_raw(). While looking to see if this was a wider issue, we found that a 5+ million install security plugin is among those improperly using it, as well as another 1+ million install security plugin, and two 1+ million install plugins from the security reviewer on the team running the WordPress’s plugin directory.

The documentation for esc_url_raw() explains that it “Sanitizes a URL for database or redirect usage.” Then further explains that: [Read more]

31 Jul 2023

Poor Security of Really Simple SSL Permits Anyone to See What Known Vulnerabilities Are on a Website

As we noted in a post last week, the Really Simple SSL WordPress plugin became popular, with 5+ million installs, as a simple WordPress plugin and then the developer started bloating it with unrelated features. One of those was adding plugin vulnerability alerts. They recently explained doing that this way:

“We figured that with our reach we could impact security on the web as a whole, by adding features in order of impact on security,” Hulsebos said. “So vulnerabilities, after hardening features specific to WordPress, was next. [Read more]

27 Jul 2023

Really Simple SSL Plugin Is Falsely Claiming That WordPress Plugins Contain Vulnerabilities

The Really Simple SSL plugin became popular, with 5+ million installs, as a simple WordPress plugin and then the developer started bloating it with unrelated features. One of those was adding plugin vulnerability alerts. They recently explained doing that this way:

“We figured that with our reach we could impact security on the web as a whole, by adding features in order of impact on security,” Hulsebos said. “So vulnerabilities, after hardening features specific to WordPress, was next. [Read more]

1 May 2017

WordPress Plugin Security Review: Really Simple SSL

For our tenth security review of a plugin based on the voting of our customers, we reviewed the plugin Really Simple SSL.

If you are not yet a customer of the service you can currently try it free for your first month and then start suggesting and voting on plugins to get security reviews after your first payment for the service. For those already using the service that haven’t already suggested and voted for plugins you can start doing that here. [Read more]