As we have mentioned repeatedly in the past, while brand new WordPress plugins are supposed to go through a security review before being allowed in the Plugin Directory, that either isn’t happening or it isn’t very good, as we keep finding brand new plugins that contain vulnerabilities that the possibility of is flagged by our Plugin Security Checker, an automated tool for checking for the possibilities of some security issues in WordPress plugins. We have offered the team the running the Plugin Directory free access to the more advanced mode of that tool to assist them in avoiding that happening (or help in creating similar functionality in their own workflow), but we have had no interest from them. They unfortunately seem more interested in covering up the problems they are having (and in some cases causing) instead of working with others like us to get them fixed.

Our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities includes many of the same checks as the Plugin Security Checker, so in the case of the plugin Newsletter Subscription Plugin for easyping.me they both flag the possibility of a PHP object injection vulnerability, which is the type of vulnerability that hackers have been known to exploit. [Read more]