Login

Tag Archives: WPMU DEV

3 Apr 2025

6 WordPress Plugins With a Million or More Installs Still Using JavaScript Library That Was EOL’d at End of 2023

As we continue to expand the ability for our Plugin Security Scorecard to detect third-party libraries included with WordPress plugins, we continue to find that popular plugins are not handling their usage of those well. While preparing to notify a plugin developer that they were using a known insecure version of a library, we noticed another library in the plugin that we hadn’t yet added to the tool. That library being Vue.js. Version 2 of that reached end of life at the end of 2023. That means if there were a vulnerability or lesser security issue, then an update wouldn’t be released. (There is a scammy security provider claiming to provide further updates for it.)

While working on adding detection for the library, we found that 6 plugins with a million or more installs still contain version 2 of the library. All but one of them are not even using the latest version of version 2. That plugin is using the latest is CookieYes, which has a million installs and contains 2.7.16. [Read more]

7 Sep 2023

WPMU DEV and Their Partner Patchstack Didn’t Handle Security Vulnerability in 400,000+ Install Plugin Well

WPMU DEV is a WordPress plugin developer that we have noted in the past hasn’t been handling security well despite being a security provider. They offer the Defender plugin, which WordPress says has 90,000+ installs. WPMU DEV claims that the pro version of that has 300,000+ installs. If you head to the homepage for the pro version right now, they claim to provide “reliable WordPress security”, which is powered by Patchstack:

[Read more]

22 Apr 2022

1+ Million Install WordPress Plugin From Security Plugin Developer WPMU DEV is Lacking Basic Security

Yesterday a new version of the WordPress plugin Smush, which has 1+ milllion active installs according to wordpress.org, with a changelog entry indicating that security fix was being made:

Fix: XSS vulnerability [Read more]

17 Nov 2017

The Developers of WordPress Security Plugins Should Be Setting the Example of Good Security Practices

Recently someone left a negative review of the companion plugin for our service, which seemed more like it was just someone looking to bash us than a legitimate review of the plugin (based on another review of theirs they are a paying customer of Wordfence, which explains a lot). The reviewer didn’t even seem to be all that aware of what the plugin did as they said “just tells me that something is bad” or what we do. Part of their review was:

Maybe it’s just the authors continued bashing of every competitor in the security industry that turns me off. Why isn’t the author doing more to help with the security community instead of bashing everyone? [Read more]

22 Sep 2017

Vulnerability Details: PHP Object Injection Vulnerability in Appointments

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

Since June we have been doing proactive monitoring of changes made to plugins to try to catch serious vulnerabilities. So far that has lead to identifying a couple of dozen vulnerabilities. For the third time it has lead to identifying a PHP object injection vulnerability being fixed in a plugin, this time in the plugin Appointments. [Read more]