Like everything else we do, we are always looking for ways that we can improve the security reviews of WordPress plugins that we do as part of our main service as well as a separate service. With our recent reviews we have been testing out doing the following two additional checks as part of the reviews:

• Security issues with functions accessible through the admin_post action
• Security issues with usage of the extract() function

Based on what we have seen with those, some of which relates to a widespread security issue we will be discussing soon in the context of one of the reviews we will be releasing the results of soon, we have now added those checks to our standard roster of items being checked. [Read more]

We are currently waiting on several plugins to have security issues identified in part based on the results of our recently introduced tool for doing limited automated security checks of WordPress plugins to be fixed to be able to discuss real world examples of how the tool can be play a useful role in checking on the security of plugins.

One of the plugins we are waiting on shows the kinds of problems that come when trying to get vulnerabilities fixed in WordPress plugins, as the developer responded that the issues we notified them of had been fixed, but when we checked on the new version we found only two issues that we had identified as much less serious had been fixed. We had mainly mentioned those two because they were the issues that we picked up by the tool and we would be mentioning them in our post. For the issue we mentioned first in our message to the developer and identified as the more serious issue, no change was made. [Read more]

Last week in discussing a couple of examples of things that are not actually ways you can determine if you should use WordPress plugin from a security perspective, we mentioned that the only good way to determine if a plugin is secure is to have a security review done. While that isn’t something that seems like it could really be automated at this time (or does it seem that it would be any time soon), based on some of the work we do as part of our service we know it is possible to identify the possibility of some security issues in plugins in an automated fashion, which can help to identify if a plugins is in greater need of a proper security review.

Recently we have been working on a tool that provides the public with the results of checks for some possible issues and that can now be found here. [Read more]

As part of the work we have been doing for the service we have been steadily increasing our ability to spot security vulnerabilities and lesser security issues in plugins. That is due to a variety of different activity that we do, from our reviewing reports of vulnerabilities discovered by others, when adding them to our data, to finding vulnerabilities that hackers would target in plugin that we see hackers are probing for usage of. In the past we have used some of the knowledge we have gained through that to check for specific issues vulnerabilities in wider sets of plugins and found a number of vulnerabilities. That knowledge could also be used to more thoroughly review a single plugin and check it for a number of security issues, which is something we have decided to start doing.

In doing that though the question is what plugins should we review and what we came up with was allowing our customers to decide that. This provides additional value to service, beyond letting you know what vulnerabilities exist and previously existed in the plugins you use (as well as helping you to best handle it if a vulnerability in the plugin you use hasn’t been fixed). To accomplish that we have set up a new page where customers can suggest plugins to be reviewed and they can vote in favor of plugins already suggested by others. [Read more]

Recently we have been looking at ways that we can improve the data we provide on WordPress plugin vulnerabilities through our service. Three weeks ago we started including data on false reports of vulnerabilities in the plugins you have installed. Today we have added a rating of the likelihood that a vulnerability will be exploited to the service’s data we present in the plugin and in the email alerts you receive if you the currently installed version of one of your plugins has a vulnerability. Once you have updated the service’s companion plugin to the newly released 2.0.22 you will start getting that.

Before we get into the details of that, we thought it would be useful to explain why we thought this would be a good addition the service. Something we often see is that really minor vulnerabilities, ones that have almost no chance of someone trying to exploit on a website, are instead presented by security companies and the press as being major concerns. The press often makes a big deal of minor vulnerabilities in very popular plugins, that never get exploited, while not covering vulnerabilities in lesser used plugins that leads to thousands of website being hacked. We also sometimes see people immediately removing a plugin with a minor vulnerability, when they could have safely waited for a fix to be put out. [Read more]

When adding a new WordPress plugin vulnerability to the data set for our service we test out the vulnerability. That allows us to do several important things for our customers, which you won’t get with other data providers, who don’t do that.

First, we can warn you when the vulnerability hasn’t actually been fixed, despite a claim to the contrary in the advisory. Once the vulnerability has been disclosed the chances of it being exploited increases, so knowing that you are still vulnerable is important in that instance. If you are using a service that doesn’t do this, you would need to check out each vulnerability yourself to insure it has actually been fixed. [Read more]