A software bill of materials (SBOM) is used to provide information on the software components that make up a larger software system. There has been a lot of focus on them recently as a way to try to better detect and address known vulnerabilities in systems. Generating them often entails using other software. That software could, in turn, have vulnerabilities. That turns out to be the case with a WordPress plugin we just we checked over.

While looking to see if there was an existing solution for generating SBOMs for WordPress websites, we ran across WpBom, which has been available on the WordPress plugin directory since December 2021. It appears it hasn’t gotten a security review, as there is a fairly serious vulnerability. It turns out that anyone can access to the SBOM file it generates, so an attacker could gain additional information on the software on the website. It could be worse, in July of last year, we found that a very popular security plugin was disclosing the vulnerabilities that were known to exist in software on the website. [Read more]