18 Oct

This Might Be Why Starbox Was Removed From the WordPress Plugin Directory

When it comes to improving the security of WordPress one the easiest things to do would be to start alerting when websites are using plugins that have been removed from the Plugin Directory for security issues. We have been trying to get that to happen for over five years, but the WordPress team has continued to refuse to do that, while claiming they are “working on it”. Recently the Wordfence Security plugin has started to warn when removed plugins are in use, which has led to more people realizing they are using removed plugins, but leaving them not knowing why the plugin was removed as there are other reasons for removal. That isn’t all the helpful as can be seen by the company behind that plugin touting this feature with a quote from a person that left a plugin with intentionally malicious code in it on their websites after it was removed from the Plugin Directory multiple times. Instead of Wordfence getting behind the effort to get this issue properly resolved, they would rather promote people being reliant on their plugin for incomplete information on removed plugins, while sometimes providing those using their plugin with outright false information about the situation with a removed plugin.

[Read more]

16 Oct

More of the WordPress Support Forum’s Terrible Moderation

Earlier today in a post providing the details of a vulnerability that has been fixed in the plugin Starbox, which is currently removed from the Plugin Directory, we noted there was confusion over the removal of the plugin.  In a thread about the issue, “Why was StarBox removed from the WordPress repository?“, a member of the Plugin Directory team had responded to a question about why the plugin was removed with the following:

[Read more]

16 Oct

Vulnerability Details: Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Starbox

This post provides the details of a vulnerability in the WordPress plugin Starbox not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]