Over the past couple of weeks we have been posting about popular WordPress plugins that are using outdated versions of third-party libraries that have been disclosed by the developers of the libraries to contain security issues. Those have involved situations where the developers haven’t fixed those, including in one instance where the developer was notified back at the end of October. With another plugin also using a vulnerable version of the same library, DomPurify, Beaver Builder, they at least updated the library after we notified them of the issue. We don’t know if they were notified of it before. You would hope they would have, since the developer disclosed the vulnerability on October 24. What the developers of Beaver Builder didn’t do is to disclose they were doing that.

They don’t provide any changelog on the WordPress plugin directory:

On the page they link to there, they have this information for the latest version of the plugin:

Hotfix

• Callout Module: Fix PHP notice showing after upgrading from previous versions

Despite that, the DOMPurify library was updated in the new version of the plugin.

This is yet another reminder that is a bad idea to try to pick and choose whether to update plugins based on claims that they include security updates (as other WordPress security providers unfortunately keep pushing when promoting themselves).

As part of our work on our Plugin Security Scorecard, we note when we run across plugins that are not disclosing in the changelog. That tool will also alert you if other plugins are using a vulnerable version of DOMPurify and a growing number of other vulnerable versions of libraries.