Ninja Forms Could Have Avoided Recommending and Using a Vulnerable Plugin If They Used Our Service
Back in June we disclosed a minor vulnerability in the plugin Postman SMTP that we had discovered. We were not able to contact the developer of the plugin and it hasn’t gotten fixed since we disclosed it. In the past we would have notified the Plugin Directory of the issue and the plugin would have been removed, but due to WordPress’ continued poor handling of security related matters we have suspended reporting publicly disclosed vulnerabilities in the current version of plugins until they take concrete steps to start notifying people when they are using removed plugins and improve their forum moderation (which causes problems for people trying to get vulnerabilities fixed).
Whether due to this vulnerability or something else the plugin was removed from the Plugin Directory yesterday. In looking to see if there was any information that indicated there might be some other issue with the plugin we noticed this recent tweet:
Sending WordPress email can get frustrating at times. Discover Postman SMTP to make email easy!https://t.co/xXZkmsswNX
— Ninja Forms (@ninjaforms) September 27, 2017
So the makers of a very popular contact, Ninja Forms, which has 900,000+ active installs, were recommending using a plugin with a known security vulnerability. It seemed possible that this wasn’t a new recommendation, just a new tweet for something they had written some time ago. But in looking at the linked post, it turned it was from September 27. It also turned out they were not just recommending the plugin, but also using it:
Postman SMTP is one of the two services that we recommend highly and use internally (the other being Mailgun). We’ll spend the next few minutes introducing them to you and covering the (very easy) setup process. Let’s look at making email easy again! ????
If Ninja Forms had been using our service they would have been notified back in June that they were using a plugin with a known vulnerability. We then could have helped them work out how best to handle the situation, including providing them a fix until the developer resolved the issue in a new version or they moved to another plugin. They then also could have avoided recommending something with a known vulnerability.
For those aware that there are other data sources available through plugins/services and thinking Ninja Form could have used them, think again. We just checked and found that the WPScan Vulnerability Database and ThreatPress, both of which we mentioned recently, don’t have the vulnerability in their data sets, even though it was publicly disclosed over three months ago.
The Ninja Form post also makes a claim that seems inaccurate, as one of the “three big reasons” given to use it is:
Actively supported
The plugin had not been updated in two years as of its removal yesterday and was only listed as being compatible with up to WordPress 4.4.
For those using a plugin that has been abandoned that they want to keep securely using them, we now offer a service for taking over and maintaining them, which includes us doing a security review like the ones we do for plugins suggested/voted for by the customers of our service.
If you try to push your services it’s fine, but not like this.
Push the corner other plugins just because they recommend other plugin in the past ?? there isn’t a chance in the world that you can notify each company recommend a removed plugin from the directory.
The security issue is a minor and you told it your self,
no need to make more panic for no reason.
For the record you appear to be the developer of a successor plugin to the Postman SMTP plugin, which you didn’t disclose here (you left another comment indicating that from the same IP address).
If you read the details of this post, it mentions that they had just made this recommendation, so it wasn’t something from the past, and they made it in part based on the plugin being “Actively supported”, which wasn’t true. The issue wasn’t that they were recommending a plugin that was removed shortly after their recommendation, but that they were using and recommending a plugin with vulnerability that had been publicly disclosed months before.
We never made any claim that we would “notify each company recommend a removed plugin from the directory”, but with our service they could absolutely have avoided a situation like this where they are using and recommending a plugin without knowing that it contains a publicly disclosed vulnerability, as that is exactly what our service does and as we mentioned in the post other similar sources of data would not have. A lot of people don’t understand that sort of thing is possible.