In our previous post we mentioned what looks to be a hacker trying to exploit a vulnerability in the plugin Yet Another Related Posts Plugin (YARPP), though one that we couldn’t see where it could do anything of note. While looking into that we noticed another security issue in the plugin, one that is of most concern if the plugin is no longer supported, which seems to be the case. It also is yet another reminder we really need to review the security of the plugins that we use since there would be multiple reasons we would have noticed this issue if we had checked over the plugin when we used it.
When it comes to improving the security of WordPress plugins the two things that stand out that are of most need and have been for years, are warning people when they are using vulnerable plugins and for serious vulnerabilities, which are likely to be exploited, putting out fixes if the developer doesn’t. The reason that hasn’t happened isn’t because of say a lack of resources, before we suspended doing it last year due to continued bad behavior by people on the WordPress side of things, we were to a large degree single handedly making sure that plugins in the Plugin Directory with public disclosed unfixed vulnerabilities didn’t remain in it (when we stopped they started piling up in it). We easily could provide fixes for the vulnerabilities that are likely to be exploited as well. Instead, the reason for the lack of doing those things is that the people on the WordPress side, for reasons that don’t make sense, are blocking those things from happening.