One of the ways we are very different from the other sources of vulnerability data on WordPress plugins that we are aware of, is that we actually review each reported vulnerability when preparing to add it to our data. That means that we can provide higher quality data than other sources, so you don’t get told among other things that an unfixed vulnerability has been fixed and don’t get warned about vulnerabilities that don’t exist as you do with other sources. That also means we have looked at numerous reports and we have seen the good and the bad of handling of security in WordPress plugins. Something we ran across recently managed to surprise us and is a good reminder that even popular plugins can have glaring security failures that are left in place for years.

The plugin Form Maker (also referred to as Form Maker by WD) as you might guess from the name handles forms on website and is fairly popular, with 90,000+ active installs according to wordpress.org. Last Wednesday a new version, 1.11.2 was released, which had as one of its changelog entries “Fixed: Security issue”. After noticing that the new version was indicated to have a security fix we looked around to see if there had been a report released on the issue, when we didn’t find any we started to take a look at the changes made in that version to see if the fixed security issue was a vulnerability that we should be adding to our data set. [Read more]