Login

Tag Archives: WordPress Plugin Directory

22 Jul 2024

WordPress Plugin Directory is Allowing Completely Unsupported Extraordinary Claims of Security Plugin Efficacy

For those looking to improve the security of WordPress websites, security plugins are often thought of as an important part of the solution. Just look at the install count of security plugins. What our testing over the years has found is that very popular plugins often fail to provide much protection, if any. That is corroborated by the many complaints by those using those plugins that they failed to provide the promoted protection and websites got hacked. At the same time, there are much less popular plugins that are offering significantly more protection. What seems to be an obvious part of the explanation for this mismatch is that in the WordPress plugin directory, WordPress is allowing developers to make extraordinary claims of efficacy without even putting forward any supporting evidence for the claims. In other fields, this type of thing wouldn’t be allowed, because of the negative impact it has.

Take a plugin named Bad Bot Blocker. Here is the first paragraph of the description on the plugin directory (with our own emphasis): [Read more]

16 May 2024

WordPress Has Left Known Vulnerable Plugin in Their Plugin Directory for 2 1/2 Months

An open redirect is a type of vulnerability that allows a request sent to one website to be redirected to another. It is an issue that is known to be abused by spammers. We have seen plenty of instances over the years of probing trying to find websites using WordPress plugins that have contained that type of vulnerability. At the end of February, a division of the company closely associated with WordPress, Automattic, disclosed that there was an unfixed instance of this type of vulnerability in a plugin that, according to WordPress, is used on at least 7,000 websites, Travelpayouts. The vulnerability has yet to be fixed and yet the plugin is still available in the WordPress Plugin Directory:

[Read more]

12 Feb 2024

WordPress Plugin Team Appears to Not Understand Proper Use of SQL Escaping Function esc_sql()

We recently had a strange interaction with the team running the WordPress Plugin Directory over their failure to make sure a likely exploited vulnerability was fixed. It was yet another example of their poor handling of security. That runs counter to their own stated expectations:

All members of the plugin team are held to an exceptionally high standard, not just in their ability to process code for security, but also in the way they handle security issues, ethical/behavioral situations, and privileged information. [Read more]

2 Jan 2024

WordPress Stops Disclosing if Plugin Directory Team Works for Automattic After at Least Two Employees Secretly Joined Team

In October 2022, after a very questionable action taken by the team running the WordPress’ Plugin Directory that was alleged by some to have been done to the benefit of the for-profit company from head of WordPress, we noted that WordPress was obfuscating the connection between that team and the company, Automattic. Specifically, the second question in the FAQ for the WordPress Plugin Directory claimed to address a possible connection this way:

Does the review team work for Automattic? [Read more]

11 Dec 2023

Hacker Targeted WordPress Plugin Returns to Plugin Directory Without Update For Exploitable Vulnerability

For years, the handling of security of the WordPress Plugin Directory has been rather poor, caused by a multitude of issues. In addition to the problems with their handling of security, there hasn’t been a willingness to work with the community to address that. One of the two problematic long time leaders of that (and two of only four members overall, somehow) left earlier this year. Notably, as they were leaving, a largely new team was brought in by them without the involvement of the community. So far, the new team doesn’t seem to have been reaching out to those actually interested in helping them improve their handling of security. That isn’t because they are now handling things well now, as yet another problematic situation shows.

In October, we wrote about seeing a hacker targeting a WordPress plugin named Dropshipping & Affiliation with Amazon and finding that the plugin was still in the plugin directory despite having a vaguely disclosed serious vulnerability. The plugin was subsequently closed on the plugin directory. [Read more]

21 Apr 2023

XWP Sponsors Major Cause of Avoidable Insecurity of WordPress Plugins While Leaving Vulnerabilities in Their Own Plugin

It would be easy to make significant improvements to the security of WordPress plugins available through the WordPress Plugin Directory, but year after year that hasn’t happened. A lot of the blame for that can be placed on major players in the WordPress space that are funding the current team running the plugin directory, who have blocked improvements from happening.

Two of the four members of the plugin directory team work directly for the head of WordPress, Matt Mullenweg. He also has a for-profit company, Automattic, which creates many conflicts of interest. One serious conflict of interest is that his company sells access to data on vulnerabilities in plugins through WPScan, while the plugin directory team has refused to provide that information. What makes the conflicts of interest stand out more is that the team obfuscates the connection between their members and Auttomatic. [Read more]

9 Mar 2023

WordPress’ Manual Review Fails to Notice Security Provider’s Plugin Is Both Completely Broken and Is Fundamentally Insecure

When someone goes to submit a plugin to the WordPress Plugin Directory, they are told it will go through a manual review before it is allowed in:

After your plugin is manually reviewed, it will either be approved or you will be emailed and asked to provide more information and/or make corrections. [Read more]

29 Nov 2022

WordPress Plugin Returns to Plugin Directory Without Vulnerability Being Resolved

Currently, in our dataset of vulnerabilities in WordPress plugins, there are plugins with at least 8.16 million active installs that are still available through the WordPress Plugin Directory despite the plugins being known to contain security vulnerabilities. That is a big problem. But what causes it?

Part of the problem is that plugins with known vulnerabilities get pulled from the Plugin Directory, but get returned without the vulnerabilities actually being fixed. That is the case with the plugin previously known as WooCommerce Fraud Prevention Plugin and now renamed Fraud Prevention For Woocommerce. [Read more]

11 Nov 2022

100,000+ Install WordPress Plugin Custom Permalinks Has Been Phoning Home to Developer for Over Two Years

The 100,000+ active install WordPress plugin Custom Permalinks has been phoning home to the developer with information about the websites it is installed on for over two years, despite it being in violation of the rules for the WordPress Plugin Directory to do that without consent.

Two days ago Jaime Martinez posted about that on the support forum for the plugin after finding that it was going on, while debugging an issue with a client’s website. So far the developer hasn’t responded to that and the plugin remains in the plugin directory. [Read more]