Login

Tag Archives: Chris Christoff

7 Mar 2025

WordPress Plugin Review Team Failing to Enforce Rule, Which is Leading to Popular Plugins Containing Vulnerable Libraries

As part of our work to expand the ability for our Plugin Security Scorecard to identify security issues in WordPress plugins, we have been increasing the number of third-party libraries it can detect being used in WordPress plugins and incorporating information on vulnerabilities the developers have disclosed in those. One place we have been doing that work is during security reviews of plugins. That led to us adding detection for the library jQuery UI to the tool and warning if plugins contain a version that has any of four vulnerabilities disclosed by the developer to have existed in older versions. In recent weeks, we have published several posts that partially focused on WordPress plugins that are using known vulnerable versions of the library. Those situations don’t paint a pretty picture when it comes to plugins usage of third-party libraries.

One of the plugins incorporated a vulnerable version of the library nearly 3 years after it was disclosed by the library’s developer to be vulnerable. [Read more]

18 Dec 2024

WordPress Plugin Review Team Security Reviewer Chris Christoff is Failing to Address Vulnerabilities in Awesome Motive’s Plugins

Last week we released an advisory warning people to avoid plugins from Awesome Motive due to repeated inability or unwillingness to fully fix security issues and vulnerabilities in their plugins. One aspect that is so striking about their failure to do that is that Awesome Motive has a chief security officer. How can you have such bad security in that situation? One explanation would be that someone unqualified was simply given that title. We have seen plenty of instances over the years of just such a situation in the security space. A problem with that explanation is that the CSO, Chris Christoff, is the Security Reviewer on the WordPress Plugin Review Team. We don’t know what he actually does on that team, but the team has throughout his tenure shown a lack of ability to properly review the security of plugins (something we tried unsuccessfully to address with Awesome Motive).

After releasing that advisory, we then needed to compile a list of all of Awesome Motive’s plugins so that we could add a warning for them to the various ways our advisory data is distributed. That isn’t exactly easy, as Awesome Motive is notably not upfront on the WordPress Plugin Directory about which plugins are theirs. The team that runs that, the previously mentioned WordPress Plugin Review Team, could address that, but hasn’t. [Read more]

30 Jan 2023

WordPress Security Community’s Poor Results on Display With Failed Fix of Vulnerability in 3+ Million Install Plugin MonsterInsights

A couple of weeks ago WordPress security provider WPScan, which is controlled by the head of WordPress Matt Mullenweg, claimed that an authenticated persistent cross-site scripting (XSS) vulnerability involving its Inline Popular Posts block had been fixed in the latest version, 8.12.1, of the 3+ million install plugin MonsterInsights:

[Read more]

9 Dec 2022

Awesome Motive’s Not So Awesome Five for the Future Sponsorship of Plugin Security Reviewer for WordPress

The website of the WordPress focused company Awesome Motive paints them in an incredibly positive light. For example, one of their five core values is “We Do The Right Thing every time.”, which they explain this way:

When it’s right for the people, the company, and you’re proud of the decision, then it’s the right thing. Sometimes doing the right thing is hard, but doing it over is harder. This is why we must always do the right thing, every time. [Read more]

29 Nov 2022

WordPress Plugin Returns to Plugin Directory Without Vulnerability Being Resolved

Currently, in our dataset of vulnerabilities in WordPress plugins, there are plugins with at least 8.16 million active installs that are still available through the WordPress Plugin Directory despite the plugins being known to contain security vulnerabilities. That is a big problem. But what causes it?

Part of the problem is that plugins with known vulnerabilities get pulled from the Plugin Directory, but get returned without the vulnerabilities actually being fixed. That is the case with the plugin previously known as WooCommerce Fraud Prevention Plugin and now renamed Fraud Prevention For Woocommerce. [Read more]