Login

Tag Archives: WPGraphQL

18 Oct 2024

WordPress Plugin Vulnerability Data Providers Are Failing to Warn About Unfixed Vulnerability In WordPress’ Latest Canonical Plugin WPGraphQL

On Wednesday of last week, we posted that WordPress’ latest canonical plugin WPGraphQL contained a vulnerability because the developer had failed to update a third-party library included in the plugin in 18 months. We contacted the developer to alert them of that earlier the same day. We have yet to hear back from them and the plugin, as well as two other plugins from the same developer with the same issue, has yet to have a new version released to fix the vulnerability. We asked WordPress if they were going to take over the plugin like they did Advance Custom Fields to address that. We haven’t received any response.

Our customers have been warned about that vulnerability, but those relying on other providers for WordPress plugin vulnerability data are still in the dark. Those getting data from provider other than us are almost always ultimately getting it from one of three providers. One is owned by Automattic, which is the new employer of the developer of WPGraphQL. That provider, WPScan, isn’t warning about this: [Read more]

9 Oct 2024

WordPress’ Latest Canonical Plugin WPGraphQL is Still Using Vulnerable Version of Library 18 Months Later

Two days ago Matt Mullenweg announced the WordPress plugin WPGraphQL was becoming a canonical plugin:

Happy to announce that WP GraphQL is becoming canonical on WordPress.org. I could say more, but I’ll let Jason tell his story. [Read more]

21 May 2019

WordPress Plugin Developers Are Portraying Limited Security Checks as Security Audits, Which They Are Not

Earlier today we noted that more WordPress plugins getting a security review would be a big help to the WordPress community. While there are not many security reviews of plugins happening now, in some cases developers are making it sounds like their plugins are getting security audits they do not appear to be getting.

As part of continually monitoring various sources for information on vulnerabilities in WordPress plugins to add them to our data set so that our customers can be informed of vulnerabilities in plugins they use, today we came across a report of vulnerabilities in the plugin WPGraphQL. In looking in to this we found that in the release notes for the version that is supposed to fix this, there was this information: [Read more]