WordPress Plugin Returns to Plugin Directory Without Vulnerability Being Resolved

Currently, in our dataset of vulnerabilities in WordPress plugins, there are plugins with at least 8.16 million active installs that are still available through the WordPress Plugin Directory despite the plugins being known to contain security vulnerabilities. That is a big problem. But what causes it?

Part of the problem is that plugins with known vulnerabilities get pulled from the Plugin Directory, but get returned without the vulnerabilities actually being fixed. That is the case with the plugin previously known as WooCommerce Fraud Prevention Plugin and now renamed Fraud Prevention For Woocommerce.

On November 10, we warned the plugin contained a vulnerability that allows anyone logged in to WordPress to reset the plugin’ settings, which allows them to disable functionality of the plugin. The plugin was subsequently closed. A new version, 2.1.3, was later submitted (confusingly, the changelog lists it as being from October 10, 2022). The new version doesn’t fix the vulnerability. It does make a security change to similar code. Though that code doesn’t appear to actually be accessible in the plugin and the change is incomplete, as the developer failed to include a capabilities check, an issue we noted is a common problem. The plugin was subsequently reopened.

That there was a failure to make sure the vulnerability was actually addressed isn’t all that surprising, as there are only four members of the team who run that. The lack of team members isn’t because of a lack of interest, but the current team members blocking others from joining. One of the members, Chris Christoff, is listed as the Security Reviewer, and they state they are being sponsored in their involvement by Awesome Motive.

As we noted at the time we warned about this vulnerability, the developer of WooCommerce, Automattic, could easily help to prevent vulnerabilities like the one in this plugin, but they are not.

WordPress Security Providers Not Warning About Vulnerability

As this situation shows, you can’t rely on WordPress to even manage to not distribute plugins it knows are vulnerable, but can you rely on WordPress security providers that claim to warn about vulnerable plugins to do so?

The aforementioned Automattic offers a service that is supposed to do that, WPScan. That is marketed on its homepage with the claim that you will “[b]e the first to know about vulnerabilities affecting” your WordPress plugins, but it still isn’t warning about this vulnerability three weeks later:

Another service, Patchstack markets itself with the claim that you will “[b]e notified instantly when there is a new security vulnerability present on any of your sites.” and that “Patchstack monitors security of all WordPress core, plugin and theme versions in real-time.” It also isn’t warning about this yet:

Another provider, Wordfence, when marketing their Wordfence Intelligence service, claims their data on WordPress plugin vulnerabilities is “continuously updated in real-time as new vulnerabilities in WordPress software such as plugins and themes are discovered and disclosed”, that it is “comprehensive and extremely current”, and that it is “actively maintained by some of the top WordPress vulnerability researchers in the industry”. Despite that, we just checked their data through their Wordfence Security plugin and they are not warning that the plugin contains a vulnerability.