One of the more troubling aspects of the poor security of WordPress plugins is that so many companies are both handling the security of their plugins rather poorly and trying to profit from the insecurity that they are helping to create. We discussed one example of that a year ago, involving plugin developer 10Web’s poor handling of the security of their plugins, while selling a security service and partnering with another company that is trying to profit off the insecurity, Patchstack. That post dealt in part with 10Web’s failed attempt to a fix a vulnerability in the Event Calendar WD (EventCalendar) plugin and the subsequent failure to get that resolved after we let them know it hadn’t been fixed. While the partnership with Patchstack was supposed to improve the security of the WordPress ecosystem, it didn’t even lead to 10Web’s plugins being properly secured.
On Monday, Event Calendar WD was closed on WordPress Plugin Directory. Unhelpful for those using it, no explanation was provided on why it was closed (as is the case with all plugin closures there). As at least one of our customers is using the plugin, we took a look to see if there might be a serious vulnerability that could have led to the closure, which we should be warning them about. We didn’t find such a vulnerability. But just in the limited checking we did for that, we found various security issues with the plugin. We confirmed there is at least one vulnerability and there are likely others. [Read more]