Login
26 Jul 2023

StellarWP Hasn’t Fixed Vulnerable Plugin Their Own Security Plugin Has Warned About Since Last Week

Earlier today, we looked at a mess created by the developer of a popular library in WordPress plugins, Freemius, and WordPress security provider, Patchstack. Another company playing a supporting role in what was discussed is StellarWP (which is part of Liquid Web). On their homepage, StellarWP makes this strong claim:

The most trusted plugins and people in WordPress.

Also on their homepage, they claim to have 200+ “wp experts” and be in 20+ time zones.

Running contrary to those claims, is this message on the support forum for one of their plugins, Restrict Content:

iThemes Security scans just started reporting this plugin as vulnerable.

Since both the Restrict Content plugin and iThemes Security are both part of StellarWP, I wondered – could this be a false-positive?

But then according to the PatchStack report at https://patchstack.com/database/vulnerability/restrict-content/wordpress-restrict-content-plugin-3-2-4-reflected-cross-site-scripting-xss-vulnerability apparently this is a verified issue because Restrict Content still implements the Freemius library.

I just read this review of Restrict Content – https://wordpress.org/support/topic/please-remove-freemius/#post-16073058 – from 9 months ago, and although I agree that it should not have warranted a 1-star review, it turns out that the reviewer was onto something.

Now I wonder – will this become something that StellarWP is going to patch? Or will this become something that every plugin using the Freemius library versions 2.5.10 will be affected by and is ultimately the solution is going to be a patch from Freemius?

I’m sure it will get sorted, given the popularity of all plugins under StellarWP and the fact that Restrict Content is such a great plugin, but I must admit it’s a little disconcerting at the moment.

Any input from devs?

The vulnerability involves a security issue that the developer of Freemius was warned of in February of last year, but didn’t resolve at the time. Instead, at the time, they responded by lying about the reporter of the issue. StellarWP has continued to use the library despite that.

As was discussed in the previous post, Patchstack didn’t actually verifying things. As they have claimed plugins with a fixed version of Freemius and even ones not using it, are somehow vulnerable. (Patchstack’s lack of verification is a common problem.) But a vulnerable version of Freemius is in the Restricted Content plugin.

While that message was written on July 21, the data source for StellarWP’s security plugin iThemes Security (which is being rebranded to Solid Security) has been warning about the vulnerability since July 18.

StellarWP responded to that message this way on the same day:

Hi @anotherdave , thank you for your report. We are going to make sure that we update the Freemius library to the latest version since this XSS is not in core RC.

As of now, an update to address this still hasn’t been released, despite the fix simply involving swapping in the new version of Freemius.

No related posts.

Plugin Security Scorecard Grade for Solid Security

Checked on January 29, 2025
F

See issues causing the plugin to get less than A+ grade

Leave a Reply

Your email address will not be published. Required fields are marked *