One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing their plugins and others get them properly secured when alerted they haven’t done that. A smaller number of plugin developers either are unable or unwilling to properly secure their plugins. With the latter group, among the issues we have seen, are developers who have introduced new serious vulnerabilities that are substantially similar to vulnerabilities that they know have been exploited in their plugins.

In situations where we become aware of developers who have shown that inability or unwillingness to properly secure their plugin, we are releasing advisories to warn customers of our service and the wider WordPress community of the risk of utilizing those developers’ plugins. In addition to checking those posts on our website for information on those advisory, we provide access to the information in several other forms. That includes through the companion plugin for our service, even when not using the service, as well as through a web browser extension and through separate data accessible from our website.

The latest addition to our advisories involves a developer, Brainstorm Force, who has come on to our radar multiple times very recently, but has just based on our interactions with them, been handling security poorly for years.

A Basic Lack of Understanding of Security

One of the recent instances we ran across them with was something that we had a hard time wrapping our heads around. They recently released an update to a 1+ million plugin, Elementor Header & Footer Builder, that only had one change, removing security code that should clearly have been in place. How could a developer of such a popular plugin not realize that was not a good idea? We don’t know, but we do know that it introduced a vulnerability in to the plugin.

Actually, they reintroduced the vulnerability. More problematically, here is that they had weeks before fixed it without apparently understanding that. Instead, they made changes to the plugin for “Compatibility with WordPress VIP Go rules.”

It isn’t as though the developer doesn’t have the resources to improve their in-house security capability and to hire outside help to assist with getting things up to speed in the meantime, as they recently announced investing six figures into one plugin. By comparison, hiring us to do a security review of this plugin would only cost $200.

New Security Issues Being Introduced

One defense of what happened there might be that the insecure code had been there for some time, but they are still introducing new vulnerabilities as well. That is what we found with a recent update to the 600,000+ install plugin Spectra. The update included new code that is lacking a basic security checks in some places. Confusingly, they included it in other similar code added, so there isn’t even consistency within an update.

In one place where they did manage to include basic security, they also managed to introduce a vulnerability in the code. What makes that stand out more is that this isn’t the first time we have run into that type of vulnerability in one of their plugins.

Over Two Years Later a Vulnerability Still Hasn’t been Fixed

In another of their 1+ million install plugins, Starter Templates, we reviewed a security change to the plugin and found that it still contained an instance of an authenticated server-side request forgery (SSRF) vulnerability, despite having addressed another instance of that. We notified them of that at the time and they said that they would address it, but they never did. That happened in October 2021.

Avoid Brainstorm Force’s Plugins

Those examples provide clear evidence of a fundamental problem with Brainstorm Force’s handling of security. It should be easy for them to improve the situation from where it was years ago, but that hasn’t happened. They can’t even be bothered to avoid the previous issues or even consistently implement security basics, which would limit the risk of other security mistakes. It isn’t like they don’t have an understanding that security should matter, as this YouTube video from them we happened across recently on how there are 4 “easy steps” to secure your website from hackers.

We would recommend avoiding their plugins, unless they can show that they have made significant changes to their handling of security.