Login

Tag Archives: Plugin Security Scorecard

9 Apr 2025

Plugin Security Scorecard March Results

March was the eighth full month our Plugin Security Scorecard was available. A fair amount of plugins were checked. A total of 140 plugins were checked last month. With 8 of those plugins being security plugins.

The overall results were not great. No plugins got an A+, A or B+. Those three grades require the developer is taking proactive measures with security, so most plugin developers are not taking measures to provide the best security. 36 of the plugins did get a B, which requires that they are avoiding unnecessary security issues. [Read more]

3 Apr 2025

6 WordPress Plugins With a Million or More Installs Still Using JavaScript Library That Was EOL’d at End of 2023

As we continue to expand the ability for our Plugin Security Scorecard to detect third-party libraries included with WordPress plugins, we continue to find that popular plugins are not handling their usage of those well. While preparing to notify a plugin developer that they were using a known insecure version of a library, we noticed another library in the plugin that we hadn’t yet added to the tool. That library being Vue.js. Version 2 of that reached end of life at the end of 2023. That means if there were a vulnerability or lesser security issue, then an update wouldn’t be released. (There is a scammy security provider claiming to provide further updates for it.)

While working on adding detection for the library, we found that 6 plugins with a million or more installs still contain version 2 of the library. All but one of them are not even using the latest version of version 2. That plugin is using the latest is CookieYes, which has a million installs and contains 2.7.16. [Read more]

4 Mar 2025

CleanTalk Claims to Vet WordPress Plugins for Insecure Dependencies While Their Security Plugin Contains Known Vulnerable Library

Last week we posted about the three most popular file manager plugins containing a vulnerable version of the jQuery UI library. The inclusion of the vulnerable version of that library was detected by our Plugin Security Scorecard. None of those plugins have been updated to address that yet, despite us notifying the developers a week ago. Over the weekend, another plugin was checked through the tool and identified to contain a vulnerable version of that. Incredibly, it is a security plugin, Security & Malware scan by CleanTalk:

[Read more]

3 Mar 2025

Plugin Security Scorecard February Results

February was the seventh full month our Plugin Security Scorecard was available. A fair amount of plugins were checked. A total of 86 plugins were checked last month. With 4 of those plugins being security plugins.

The overall results were not great. No plugins got an A+,  A or B+. Those three grades require the developer is taking proactive measures with security, so most plugin developers are not taking measures to provide the best security. 19 of the plugins did get a B, which requires that they are avoiding unnecessary security issues. [Read more]

25 Feb 2025

Popular WordPress File Manger Plugins Contain Third-Party Library With Multiple Vulnerabilities

Last week three WordPress file manager plugins were checked through our Plugin Security Scorecard tool. An issue identified by the tool in each plugin was flagged for us to review. That issue being that the plugin’s contained a known vulnerable library. What was curious was is that each plugin was flagged for the exact same vulnerabilities in the same library. Here is the relevant part of the results for the 1+ million install WP File Manager:

[Read more]

11 Feb 2025

WordPress Plugin Developers’ Assurances Their Plugins Are Secure Continue to Not Bear Out

We recently ran across a WordPress plugin developer claiming that a security partner was ensuring their plugin was secure. We had run across the plugin because the developer had continued to use a known vulnerable third-party library for 21 months. It turned out to not be the only known vulnerable library in the plugin. There also is an additional unfixed security issue caused by the security partner, Patchstack, failing to make sure a vulnerability was properly fixed or to provide the information needed for others to vet their false claim it was fixed. They are hardly the only plugin developer claiming that their plugins are secure. Can you trust their claims?

One way to try to determine the answer to that would be to look at the evidence they providing to back the claims up. But they don’t provide any. For example, the developer of the 80,000+ install WP ULike provides this information in a FAQ in response to the question “Is WP ULike secure?”: [Read more]

10 Feb 2025

WordPress Plugin Includes Version of Third-Party Library That Was Publicly Known to Be Vulnerable Years Before Plugin Was Even Released

As part of providing a more comprehensive view of the handling of the security of WordPress plugins through our Plugin Security Scorecard tool, we have been expanding the number of third-party libraries it can detect in plugins. If developers of those libraries disclose security advisories on GitHub for those libraries, we incorporate them into the results of the tool as well. Last week we added detection for the jQuery UI JavaScript library. It has already had someone run a plugin through the updated tool that caught the plugin containing a version of a library that contains multiple vulnerability according to the developer:

[Read more]

3 Feb 2025

Plugin Security Scorecard January Results

January was the sixth full month our Plugin Security Scorecard was available. A fair amount of plugins were checked. A total of 148 plugins were checked last month. With 7 of those plugins being security plugins.

As can be seen below, the results for security plugins were not good. With the best grade being a D+. That comes from a combination of different issues. Some of those plugins have security issues. Some come from developers that have had repeated issues with vulnerabilities and are not addressing the underlying problems. Most security plugins are failing to implement best practices for security. Then there is the issue of the plugin developers making security claims that are at least not supported with evidence (and often couldn’t be supported with evidence, since they are not true). [Read more]

23 Jan 2025

Our Plugin Security Scorecard Now Supports Checking ClassicPress Plugins

While the WordPress fork ClassicPress has gotten renewed attention with what has been going on with WordPress recently, we have had efforts related to the security of its plugins for years. Back in 2021, we started doing proactive monitoring to try to catch serious vulnerabilities in plugins that were in the ClassicPress plugin directory. Alongside that, we ran the plugins through our Plugin Security Checker, which leads to us detecting a less serious vulnerability. The developer promptly fixed the issue, which isn’t something we can say that often with WordPress plugin.

Last year we introduced a new tool, the Plugin Security Scorecard, which seeks to provide a better understanding of the security of WordPress plugins, as well as promote developers implementing better security practices. The tool continues to highlight the poor state of even some of the most popular WordPress plugins. Last week, for example, a 1+ million install plugin was run through the tool and found to contain a version of a third-party library that had been know to be insecure for nearly three years. [Read more]

22 Jan 2025

WordPress Plugins Can Include a Lot of Software That the Plugin’s Developer Doesn’t Have Any Connection To

How much do you consider a WordPress plugin developer’s handling of security of their plugins when choosing to use or not use a plugin? Probably not much, considering even if you wanted to, your access to information to make an informed assessment is limited. That is also backed up by the popularity of plugins from developers that have long track records of very public indifference, at best, to security. Depending on the plugin, you have to be worried about not just their handling of security, but the handling of security by developers of third-party libraries that are included in their plugin.

The amount of third-party in some plugins has surprised us. As part of working on our Plugin Security Scorecard since last year, we have been expanding the amount of libraries it can provide information on and warnings when there are publicly known security issues. A few days ago, the security plugin Shield Security was run through the tool again and more libraries were flagged to be included in our data set. There were 5 more libraries in for us to see about adding, that is on top of the 47 that were included in our dataset that are in the plugin. That is a lot of third-party software being included in a plugin originally called WordPress Simple Firewall. [Read more]