One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a less serious variant of one of those vulnerabilities, an authenticated arbitrary file upload vulnerability in another brand new plugin, VIRTUAL HDM FOR TAXSERVICE AM. We found another of these in a brand new plugin less than two weeks ago.

The review that is supposed to be done before new plugins can be added to the Plugin Directory should have caught that. It is something that would have been flagged by our Plugin Security Checker, so it would make sense to run plugins through that during that security review to avoid this type of situation continuing to happen. That it continues to happen speaks to the continued lack of interest in improving security by the leadership of WordPress (starting at the top with Matt Mullenweg) and the continued role we play in limiting the impact of that for everyone else. We would be happy to provide the Plugin Directory team free access to all of that tool’s capabilities and have repeatedly offered to do that, but we haven’t been taken up on that. [Read more]