Login

Tag Archives: Awesome Motive

3 Apr 2025

6 WordPress Plugins With a Million or More Installs Still Using JavaScript Library That Was EOL’d at End of 2023

As we continue to expand the ability for our Plugin Security Scorecard to detect third-party libraries included with WordPress plugins, we continue to find that popular plugins are not handling their usage of those well. While preparing to notify a plugin developer that they were using a known insecure version of a library, we noticed another library in the plugin that we hadn’t yet added to the tool. That library being Vue.js. Version 2 of that reached end of life at the end of 2023. That means if there were a vulnerability or lesser security issue, then an update wouldn’t be released. (There is a scammy security provider claiming to provide further updates for it.)

While working on adding detection for the library, we found that 6 plugins with a million or more installs still contain version 2 of the library. All but one of them are not even using the latest version of version 2. That plugin is using the latest is CookieYes, which has a million installs and contains 2.7.16. [Read more]

7 Mar 2025

WordPress Plugin Review Team Failing to Enforce Rule, Which is Leading to Popular Plugins Containing Vulnerable Libraries

As part of our work to expand the ability for our Plugin Security Scorecard to identify security issues in WordPress plugins, we have been increasing the number of third-party libraries it can detect being used in WordPress plugins and incorporating information on vulnerabilities the developers have disclosed in those. One place we have been doing that work is during security reviews of plugins. That led to us adding detection for the library jQuery UI to the tool and warning if plugins contain a version that has any of four vulnerabilities disclosed by the developer to have existed in older versions. In recent weeks, we have published several posts that partially focused on WordPress plugins that are using known vulnerable versions of the library. Those situations don’t paint a pretty picture when it comes to plugins usage of third-party libraries.

One of the plugins incorporated a vulnerable version of the library nearly 3 years after it was disclosed by the library’s developer to be vulnerable. [Read more]

23 Jan 2025

New Plugins From Awesome Motive and Brainstorm Force Continue Developers’ Failure to Implement Basic Security

We release advisories warning about WordPress plugin developers who have a repeated track record of failing to handle security well. A reasonable question to ask is if a backward-looking determination is helpful or if past is not prologue with that. A week ago, we looked at an example of a developer continuing to fail that we ran across. This week we ran across another test of this, as two developers we have released advisories for have new plugins available in the WordPress Plugin Directory.

Awesome Motive

For one of those developers, Awesome Motive, we just issued our advisory on December 11. Nine days later, they introduced the plugin WPConsent to the WordPress Plugin Directory. The issue that led to us finally issuing that advisory was a continued failure to address AJAX accessible functions lacking a capability check in the 6+ million install plugin WPForms, even after fixing a vulnerability caused by that. That is really basic security, so a major plugin developer shouldn’t be failing on that front. Yet it also is the case with WPConsent. [Read more]

18 Dec 2024

WordPress Plugin Review Team Security Reviewer Chris Christoff is Failing to Address Vulnerabilities in Awesome Motive’s Plugins

Last week we released an advisory warning people to avoid plugins from Awesome Motive due to repeated inability or unwillingness to fully fix security issues and vulnerabilities in their plugins. One aspect that is so striking about their failure to do that is that Awesome Motive has a chief security officer. How can you have such bad security in that situation? One explanation would be that someone unqualified was simply given that title. We have seen plenty of instances over the years of just such a situation in the security space. A problem with that explanation is that the CSO, Chris Christoff, is the Security Reviewer on the WordPress Plugin Review Team. We don’t know what he actually does on that team, but the team has throughout his tenure shown a lack of ability to properly review the security of plugins (something we tried unsuccessfully to address with Awesome Motive).

After releasing that advisory, we then needed to compile a list of all of Awesome Motive’s plugins so that we could add a warning for them to the various ways our advisory data is distributed. That isn’t exactly easy, as Awesome Motive is notably not upfront on the WordPress Plugin Directory about which plugins are theirs. The team that runs that, the previously mentioned WordPress Plugin Review Team, could address that, but hasn’t. [Read more]

11 Dec 2024

WordPress Plugin Developer Security Advisory: Awesome Motive

One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing their plugins and others get them properly secured when alerted they haven’t done that. A smaller number of plugin developers either are unable or unwilling to properly secure their plugins. With the latter group, among the issues we have seen, are developers who have introduced new serious vulnerabilities that are substantially similar to vulnerabilities that they know have been exploited in their plugins.

In situations where we become aware of developers who have shown that inability or unwillingness to properly secure their plugin, we are releasing advisories to warn customers of our service and the wider WordPress community of the risk of utilizing those developers’ plugins. In addition to checking those posts on our website for information on those advisory, we provide access to the information in several other forms. That includes through the companion plugin for our service, even when not using the service, as well as through a web browser extension and through separate data accessible from our website. [Read more]

11 Dec 2024

The WordPress Plugin Directory Is Permitting Awesome Motive to Obfuscate Their Connection to WordPress Plugins

As part of our effort to create a better understanding in the WordPress community of the handling of security by the developers of plugins through our new Plugin Security Scorecard, we are trying to collate graded plugins from the same developers. That turns out not to be easy with some of the most prolific developers and it appears intentional on the part of at least one of them.

Awesome Motive doesn’t appear to have a good reputation in the WordPress community. That is to the extent that people are willing to mention their name. There is what could be called a toxic positivity in the WordPress community, where only positive things are allowed to be said. So Awesome Motive is often mentioned without mentioning their name. Here was someone willing to name them when talking about one of their many problematic behaviors. [Read more]

17 Sep 2024

Awesome Motive’s 3+ Million Install All in One SEO Plugin Is Tracking Usage Without Consent

The WordPress Plugin Review Team is currently considering restrictions on plugins from automatically installing additional plugins when setting up a plugin. A couple of the major offenders, when it comes to doing that, have chimed in. Unsurprisingly, they are suggesting not stopping that from happening. One of those was the CEO of the not so awesome Awesome Motive. Their automatic installation of additional plugins causes problems for users of Awesome Motive plugins, as well as introducing additional security risk to the websites, as their plugins have had plenty of security vulnerabilities over the years. While looking in to how those players are currently handling that automatic installation, we noticed that a couple of multi-million installs plugins from them are tracking usage without users choosing to opt in, and in the case Awesome Motive’s 3+ Million Install All in One SEO, without disclosing that usage tracking is being enabled.

Here is how the guidelines for the Plugin Directory explain how usage tracking should be handled: [Read more]

18 Jan 2024

Awesome Motive Is Claiming That Sucuri Is the Best WordPress Security in 2024 Based on Features It Doesn’t Contain

While doing research for a post, we found that the much maligned Awesome Motive was giving out, no surprise, highly misleading advice to make money for themselves. On one of their websites, they claimed that the Sucuri plugin is the best WordPress security plugin in 2024. In justifying that, they started this way:

Many small businesses consider Sucuri to be the best WordPress plugin for improving your site’s security in 2024, and for good reasons. The Sucuri WordPress plugin has all the security features you need to audit and keep your site protected against malware, brute force login attacks, DDoS, and any other security threats. [Read more]

3 May 2023

Awesome Motive’s Easy Digital Downloads is Still Lacking Basic Security Despite Contrary Claim by Patchstack

Most days we see what appears to be a hacker probing for the usage of a single WordPress plugin with a recently disclosed vulnerability through a single request for a file on each of our websites. Yesterday, we saw them doubling up both on the files they were requesting and the IP addresses being used. The plugin they were looking for was Easy Digital Downloads. It wasn’t hard to guess why, as Patchstack had disclosed how to exploit a serious vulnerability that had been fixed the day before. While reviewing this, we found that there are still security issues that run counter to a central claim made by Patchstack.

Before we get to that, it’s important to note who the developer of the plugin is. That is Awesome Motive. That would be the Awesome Motive that has a chief security officer (CSO) who is also the “security reviewer” on the team running the WordPress Plugin Directory. That would be the Awesome Motive that took two months to fix a publicly known vulnerability in a plugin with 3+ millions installs. They frequently acquire existing WordPress plugins, which is how they came to be the developer of this plugin. The vulnerability that was fixed was introduced six months after they had acquired the plugin. [Read more]

4 Apr 2023

Awesome Motive Isn’t Disclosing They Are Trying (and Sometimes Failing) to Fix Vulnerabilities in Their Plugins

Yesterday, Automattic’s WPScan claimed that the latest version of the 1+ million install WordPress plugin WPCode had fixed a vulnerability:

The plugin has a flawed CSRF when deleting log, and does not ensure that the file to be deleted is inside the expected folder. This could allow attackers to make users with the wpcode_activate_snippets capability delete arbitrary log files on the server, including outside of the blog folders [Read more]