WordPress Plugins With at Least 150,000+ Installs Using Versions of Third-Party Library With Recently Disclosed Security Vulnerabilities

As we work to expand the capabilities of our new Plugin Security Scorecard, one of our focuses is providing better security information on libraries included in plugins. That is already helping to identity WordPress plugins that are using libraries with known vulnerabilities. Earlier this week, we noted that a plugin with 600,000+ installs was still using a vulnerable version of library 17 months after an update was released. In that situation, we found that the developer had not released a security advisory through GitHub project for the vulnerability. With another library, the developer recently released a couple of advisories and we found that several fairly popular plugins are using an affected version of the library.

The library is PhpSpreadsheet, and the advisories were released on August 28. The plugins are all using version 1.x of the library and update for that was released on September 2.

One of the affected plugins Link Whisper Free, which has 30,000+ installs, and was already run through the Plugin Security Scorecard. That being graded led to us adding information about the library to the tool and then adding checking for usage of older versions of the library.

While looking into that, we did a check to see if other plugins might be using the library using another tool. We found that the plugins Advanced Contact form 7 DB, which has 80,000+ installs, and WP Import Export Lite, which has 40,000+ installs, are also including a vulnerable version of the library.

We notified the developers of those plugins about their usage of an outdated version of the library with disclosed security vulnerabilities.

There look to be more plugins that are impacted by this. If those plugins are graded with through the Plugin Security Scorecard, that will be warned about in the results. The tool recommends that the developer be notified of issues flagged by the tool. It also will be flagged in the backend of the tool and we would then attempt to notify the developer about that particular issue as well.