WordPress Plugin Security Reviews

As part of our focus on providing a service that provides our customers the best protection against WordPress plugin vulnerabilities we do security reviews plugins from the Plugin Directory selected by the customers of the service, so that they can know that plugins they use or are thinking of using are being properly secured. These reviews build on knowledge we have collected over the years from previously disclosed vulnerabilities, from trying to figure out what vulnerability hackers are trying to exploit in plugins we find them targeting, and other security reviews that we have done.

Currently every two weeks we do the review of the plugin that our customers have given the most votes in favor of. Anyone with a paid subscription can submit plugins to be voted on and can add votes in favor of plugins submitted by others. (For current customers, once you are logged in to your account, go here to get started.)

You can get some idea if a plugin is at greater need for a security review with our Plugin Security Checker.

We also offer free reviews for any plugins that are adopted through the unofficial plugin adoption program.

If you are interested in getting a review done and don’t use our service, need a plugin review right away, or are looking for a review of a plugin not in the Plugin Directory, we offer a separate service for getting that review done.

What is Included in the Review?

With our reviews we are not reviewing every single line of code in the plugin or guaranteeing that it is free of all possible security issues, as the first part of that likely would produce poor results and the latter is unlikely to be possible to really accomplish. Instead we focus on checking for known high risks issues, which are likely to be exploited if they are discovered based on everything we have seen over the years, as well as making sure that the plugins are performing proper security hardening and security checks, which in addition detecting vulnerabilities that exist now, would limit other types of vulnerabilities from being exploitable if they existed, even if the relevant code is added to the plugin after the review is done.

The following items are checked for:

  • Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
  • Deserialization of untrusted data
  • Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
  • Persistent cross-site scripting (XSS) vulnerabilities in the frontend portions of the plugin and in the admin portions accessible to users with the Author role or below
  • Cross-site request forgery (CSRF) vulnerabilities in the admin portion of the plugin
  • SQL injection vulnerabilities (the code that handles requests to the database)
  • Reflected cross-site scripting (XSS) vulnerabilities
  • Security issues with functions accessible through any of the plugin’s shortcodes
  • Security issues with functions accessible through the admin_action action
  • Security issues with functions accessible through the admin_init action
  • Security issues with import/export functionality
  • Security issues with usage of is_admin()
  • Security issues with usage of add_option(), delete_option(), and update_option()
  • Host header injection vulnerabilities
  • Lack of protection against unintended direct access of PHP files
  • Insecure and unwarranted requests to third-party websites
  • Any additional possible issues identified by our Plugin Security Checker

Completed Reviews of Plugin Selected by Our Customers

(Ordered from most recent to the oldest)