The WP Tavern recently ran a story claiming that the security of WordPress plugins is getting better because more vulnerabilities are being discovered:

The report emphasized that the increase in the number of vulnerabilities reported means that ecosystem is becoming more secure as the result of more security issues being found and patched.

There are a whole host of issues with the claim and the accuracy of the data that is supposed to back claims like that up. One of those issues is that this claim keeps getting made, year after year, despite the security problems continuing unabated. The other is that it assumes that more vulnerabilities are not being introduced than are being found. Those two came together in a quote from another post on WP Tavern from August 2021:

“Vulnerabilities aren’t being introduced as frequently and more vulnerabilities are being detected simply due to the higher activity of researchers which is in turn positively impacting the security of the WordPress ecosystem. Considering it isn’t newly introduced vulnerabilities that are being frequently discovered, I feel confident in saying that the increase in discoveries doesn’t indicate that the ecosystem is getting less secure at all but rather getting more secure.”

If new vulnerabilities are not being discovered, that might not be because they are not being introduced, but that detection methods are failing to detect them. Even very popular plugins are still having serious vulnerabilities introduced in to them without being caught quickly, as was recently the case with UpdraftPlus and WooCommerce Payments, so that would suggest that plenty of new vulnerabilities are not being detected.

One method to try to better detect vulnerabilities would be to use a machine learning (artificial intelligence (AI)) based system. Since last year, we have had some success using such a system for a related purpose, detecting if vulnerabilities have been attempted to be fixed in WordPress plugins. We have been developing another system to detect vulnerabilities being introduced, which so far hasn’t delivered the same results. That isn’t all that surprising for a number of reasons, including the more complicated nature of the code needing to be detected and a slower increase in the amount of data we have to feed to the system.

For the first time, we had the system catch a vulnerability being introduced in to a plugin. We currently run all the changes being made to plugins in the WordPress Plugin Directory that are used by our customers as well as plugins with a million or more installs through the system. That flagged the latest change made to the 1+ million install plugin XML Sitemaps. It only seconds for us to spot that there was indeed a vulnerability being introduced in to the plugin, as new code for a “beta testing program” allows even those not logged in to WordPress provide consent for that. As detailed in a more technical post, the developer failed to provide basic security checks in that code.

That a plugin with at least a million installs is getting new code added to it, which lacks even basic security, is a good indication that the claim that plugins are getting more secure isn’t based in reality.

Getting better at detecting vulnerabilities being introduced isn’t the best option to protect WordPress websites from plugin vulnerabilities, it would be better for them to not be introduced in the first place. But without much interest in addressing the problem of plugin security from WordPress (and sometimes hostility to doing that), then supporting solutions working to do that can help to better protect WordPress websites over other options.

---

Plugin Security Scorecard Grade for XML Sitemaps

Checked on September 10, 2024

See issues causing the plugin to get less than A+ grade