Recently the developer of a WordPress plugin that extends WooCommerce responded to a claim that there plugin contained a vulnerability by stating that the plugin has “no known vulnerabilities and is written with all wordpress security standards in mind taking precaution to avoid such an issue.” Can you trust that sort of claim? In our years of experience, no. Plugin developers often make strong claims about their handling of security that turn out not to be true. That turned out to not be true with this plugin, WooCommerce Product Table Lite, as well. For those looking to make sure plugins they use are actually secure, they should look for plugins that has had an independent security review done or get ones done for plugins.

Like another plugin we discussed this week, where the developer had missed a vulnerability despite claiming to have done multiple audits, this situation involved a vague claim from a security provider named Patchstack that the plugin contained a cross-site request forgery (CSRF) vulnerability. This plugin also contained such an issue that wasn’t hard to find and involved a failure to implement basic security. After finding it, we contacted the developer. We let them know what appeared to be at issue, linked to the relevant WordPress documentation to address it, and offered to help them with that issue. They have now addressed the vulnerability. [Read more]