As we seek to expand the protection that the service provides against WordPress plugin vulnerabilities we are now doing basic security reviews of plugins selected by the customers of the service. This builds on the security checks we have been doing when reviewing other vulnerabilities in plugins, when trying to figure out what vulnerability hackers are trying to exploit in plugins we find them targeting, and other security reviews that we do.
Currently every two weeks we will do the review of the plugin that our customers have given the most votes in favor of. Anyone with a paid subscription can submit plugins to be voted on and can add votes in favor of plugins submitted by others. For current customers, once you are logged in to your account go here to get started.
We also offer free reviews for any plugins that are adopted through the unofficial plugin adoption program.
If you are interested in getting a review done and don’t use our service, we now provide a service for getting an review done.
What is Included in the Review?
We describe the review as basic, because we are not reviewing every single line of code in the plugin or guaranteeing that it is free of any vulnerabilities. Instead we focus on checking for some high risks issues, that are likely to be exploited if they are discovered, as well as making sure that the plugins are performing proper security hardening and security checks, which in addition detecting vulnerabilities that exist now would limit other types of vulnerabilities from being exploited if they existed even if they are added to the plugin after the review is done.
The following items are checked for:
- Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
- Deserialization of untrusted data
- Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
- Persistent cross-site scripting (XSS) vulnerabilities in publicly accessible portions of the plugin
- Cross-site request forgery (CSRF) vulnerabilities in the admin portion of plugins
SQL injection vulnerabilities (the code that handles requests to the database)
Reflected cross-site scripting (XSS) vulnerabilities
- Security issues with functions accessible through any of the plugin’s shortcodes
- Security issues with functions accessible through the admin_action action
- Security issues with import/export functionality
- Security issues with usage of is_admin()
Lack of protection against unintended direct access of PHP files
- Insecure and unwarranted requests to third-party websites