One of the little understood realities of security issues with WordPress plugins is that insecurity of WordPress plugins is not evenly spread across them. Instead, many developers are properly securing their plugins and others get them properly secured when alerted they haven’t done that, while others either are unable or unwilling to properly secure their plugins. That includes situations where developers have introduced new serious vulnerabilities that are substantially similar to vulnerabilities that they know have been exploited in their plugins.

In situations where we become aware of developers who have shown that inability or unwillingness to properly secure their plugin, we are releasing advisories to warn customers of our service and the wider WordPress community of the risk of utilizing those developers’ plugins. In addition to checking those posts on our website for information on those advisory, we provide access to the information in several other forms. That includes through the companion plugin for our service, even when not using the service, as well as through a web browser extension and through separate data accessible from our website.

Genetech Solutions is the developer of the plugin Pie Register. That is plugin you would hope is developed by people that have a good handle on security, as it handles user registration and logging users in to WordPress. That hasn’t been the case, as there have multiple serious vulnerabilities found in the plugin related to that functionality. That includes vulnerabilities that allowed gaining access to WordPress accounts with the Administrator role that were disclosed in 2014, 2015, and again last year.

At the end of March we noticed what looked to be a hacker probing for usage of that plugin and found that it contained yet another vulnerability that hackers would be interested in exploiting, an authenticated arbitrary file upload vulnerability due to insecure code for allowing the installation of WordPress plugins. Genetech Solutions made an only partially successful attempt to fix this vulnerability due to continued failure to apply basic security, so it still exists in the latest version, but would only be exploitable in limited circumstances (it’s still in the WordPress Plugin Directory despite that).

While working on improvements to our detection system and our firewall plugin related to that type of vulnerability, we found that over a month after that, they still haven’t even attempted to secure the same plugin installation code in another of their plugins, Page Builder Addons for WPBakery. The lack of care for security isn’t surprising based on their track record, but it is a good reason to avoid using their plugins.