Login

Tag Archives: WordPress Plugin Review Team

7 Mar 2025

WordPress Plugin Review Team Failing to Enforce Rule, Which is Leading to Popular Plugins Containing Vulnerable Libraries

As part of our work to expand the ability for our Plugin Security Scorecard to identify security issues in WordPress plugins, we have been increasing the number of third-party libraries it can detect being used in WordPress plugins and incorporating information on vulnerabilities the developers have disclosed in those. One place we have been doing that work is during security reviews of plugins. That led to us adding detection for the library jQuery UI to the tool and warning if plugins contain a version that has any of four vulnerabilities disclosed by the developer to have existed in older versions. In recent weeks, we have published several posts that partially focused on WordPress plugins that are using known vulnerable versions of the library. Those situations don’t paint a pretty picture when it comes to plugins usage of third-party libraries.

One of the plugins incorporated a vulnerable version of the library nearly 3 years after it was disclosed by the library’s developer to be vulnerable. [Read more]

24 Jan 2025

WordPress Plugin Review Team Reviews Failing to Catch Basic Security Failure (Including in a Plugin From the Team’s Security Reviewer)

At the end of last year, one of the team reps for the team running the WordPress plugin directory provided an assessment on what the team had been up to. It incredulously credited one past member of the team for a “magnificent legacy” of a scanner tool, despite it being no secret that person had blocked efforts for years to improve the team’s scanner tool (and more generally blocked efforts to address the problems they were causing). Beyond that, it made repeated claims about the team’s handling of security, including this in the first paragraph:

Throughout this time, we remained focused on our primary goals: enhancing security, improving the review process, and fostering community engagement. [Read more]

3 Dec 2024

Member of WordPress Plugin Review Team Anonymously Criticizes ACF Pro Forking, But Doesn’t Leave Team

One of the unfortunate realities of the current situation with WordPress is that the problems surfaced are hardly limited to Matt Mullenweg. Long ago, the people controlling areas of WordPress that we had the most interaction were often people that were similar to Matt Mullenweg in many ways. The security issues with WordPress plugins today largely exist because of the people who have run the plugin directory, the WordPress Plugin Review Team. They have long been actively hostile to working with other to address problems, when not actually creating the problems. Like Matt Mullenweg, members of the team have portrayed themselves as victims in situations where they were definitely not victims. That made a recent set of events unsurprising to us.

A week ago, the Repository allowed a member of the team to anonymously complain about the forking of the Advanced Custom Fields (ACF) Pro plugin and claim that their team had no responsibility for it: [Read more]

31 Oct 2024

WordPress Plugin Review Team’s Stance That “Forked Premium Plugins Are Not Permitted” Changed Same Day ACF Takeover Happened

Since Matt Mullenweg announced a takeover of WP Engine’s Advanced Custom Fields (ACF) on the WordPress plugin directory on October 12, there have been questions if the features of the paid Pro version would be incorporated in the rebranded Secure Custom Fields. Doing that would be against the stated policy of the team running the WordPress plugin directory that was spelled out in a February 16, 2021 post titled “Reminder: Forked Premium Plugins Are Not Permitted.” Or it was against the policy. As of October 8, the beginning of the post started “tl;dr: We do not permit copies or forks of premium (pay for) plugins to be hosted on WordPress.org.”

[Read more]

17 Sep 2024

Awesome Motive’s 3+ Million Install All in One SEO Plugin Is Tracking Usage Without Consent

The WordPress Plugin Review Team is currently considering restrictions on plugins from automatically installing additional plugins when setting up a plugin. A couple of the major offenders, when it comes to doing that, have chimed in. Unsurprisingly, they are suggesting not stopping that from happening. One of those was the CEO of the not so awesome Awesome Motive. Their automatic installation of additional plugins causes problems for users of Awesome Motive plugins, as well as introducing additional security risk to the websites, as their plugins have had plenty of security vulnerabilities over the years. While looking in to how those players are currently handling that automatic installation, we noticed that a couple of multi-million installs plugins from them are tracking usage without users choosing to opt in, and in the case Awesome Motive’s 3+ Million Install All in One SEO, without disclosing that usage tracking is being enabled.

Here is how the guidelines for the Plugin Directory explain how usage tracking should be handled: [Read more]

11 Sep 2024

WordPress Continues to Fail to Properly Address Malicious Code Loaded on Thousands of Websites

In December 2022, an update was released for the WordPress plugin Bulk Delete Comments, which caused a JavaScript file with malicious code from a website to be loaded on to the admin area of websites using the plugin. That was immediately noticed by users of the plugin. The plugin was subsequently closed on the WordPress Plugin Directory. The plugin was recently reopened without the issue being properly resolved. The situation highlights multiple known problems that are not being addressed by WordPress.

The update that introduced the issue was version 1.4, and that is still the version available now: [Read more]

22 Jul 2024

WordPress Plugin Directory is Allowing Completely Unsupported Extraordinary Claims of Security Plugin Efficacy

For those looking to improve the security of WordPress websites, security plugins are often thought of as an important part of the solution. Just look at the install count of security plugins. What our testing over the years has found is that very popular plugins often fail to provide much protection, if any. That is corroborated by the many complaints by those using those plugins that they failed to provide the promoted protection and websites got hacked. At the same time, there are much less popular plugins that are offering significantly more protection. What seems to be an obvious part of the explanation for this mismatch is that in the WordPress plugin directory, WordPress is allowing developers to make extraordinary claims of efficacy without even putting forward any supporting evidence for the claims. In other fields, this type of thing wouldn’t be allowed, because of the negative impact it has.

Take a plugin named Bad Bot Blocker. Here is the first paragraph of the description on the plugin directory (with our own emphasis): [Read more]

10 Jul 2024

WordPress Plugin Developers Can Use security.txt Files to Aid in Getting Security Issues Reported to Them

In May, we found that numerous security providers had failed to catch that a vulnerability in the 100,000+ install WordPress plugin Genesis Block hadn’t been fully fixed. It was a good reminder of the importance of relying on vulnerability data that is actually vetted, which isn’t true for most sources. At the time, we had tried to contact the developer to let them know about the failure to fully fix this, but they didn’t provide a contact method to do that. We did find that the parent company of the developer, WP Engine, has a security page, but that doesn’t provide a contact method for non-customers to contact them. It directs customers to contact them through a general contact form. Both of those things are odd. It also mentioned a third-party vulnerability bug bounty program, which wouldn’t be relevant to address the issue we were trying to reach them about (and wouldn’t get us in touch with them).

The vulnerability has remained in the plugin since then. The plugin had remained in the WordPress Plugin Directory despite the plugin being publicly known to be vulnerable. That is, until two days ago, when it was closed on there: [Read more]

12 Feb 2024

WordPress Plugin Team Appears to Not Understand Proper Use of SQL Escaping Function esc_sql()

We recently had a strange interaction with the team running the WordPress Plugin Directory over their failure to make sure a likely exploited vulnerability was fixed. It was yet another example of their poor handling of security. That runs counter to their own stated expectations:

All members of the plugin team are held to an exceptionally high standard, not just in their ability to process code for security, but also in the way they handle security issues, ethical/behavioral situations, and privileged information. [Read more]

11 Dec 2023

Hacker Targeted WordPress Plugin Returns to Plugin Directory Without Update For Exploitable Vulnerability

For years, the handling of security of the WordPress Plugin Directory has been rather poor, caused by a multitude of issues. In addition to the problems with their handling of security, there hasn’t been a willingness to work with the community to address that. One of the two problematic long time leaders of that (and two of only four members overall, somehow) left earlier this year. Notably, as they were leaving, a largely new team was brought in by them without the involvement of the community. So far, the new team doesn’t seem to have been reaching out to those actually interested in helping them improve their handling of security. That isn’t because they are now handling things well now, as yet another problematic situation shows.

In October, we wrote about seeing a hacker targeting a WordPress plugin named Dropshipping & Affiliation with Amazon and finding that the plugin was still in the plugin directory despite having a vaguely disclosed serious vulnerability. The plugin was subsequently closed on the plugin directory. [Read more]