See issues causing the plugin to get less than A+ grade
The WP Tavern recently ran a story claiming that the security of WordPress plugins is getting better because more vulnerabilities are being discovered:
The report emphasized that the increase in the number of vulnerabilities reported means that ecosystem is becoming more secure as the result of more security issues being found and patched. [Read more]
The latest version of the WordPress plugin XML Sitemaps was flagged by a machine learning based system we have to try to detect if changes made to plugins used by our customers have had vulnerabilities introduced in to them. It wasn’t hard to find a vulnerability being introduced in to the new version of the plugin. The new version introduces a “beta testing program” and code that is supposed to register consent for that lacks any security checks, so anyone access that.
That code is in the function register_consent, which is located in the file /sitemap.php: [Read more]
On April 6, the WordPress plugin XML Sitemaps (Google XML Sitemaps) was closed on WordPress’ plugin directory. The only information given was this vague message:
This plugin has been closed as of April 6, 2022 and is not available for download. This closure is temporary, pending a full review. [Read more]
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.
Automattic’s WPScan has long not been concerned if they spread false reports of vulnerabilities, as can been seen by this report from a few years ago we checked due to at least one of our customers using the plugin XML Sitemaps. This involves a claimed reflected cross-site scripting (XSS) vulnerability where, based on their description, they think that this type of vulnerability involves someone attacking themself: [Read more]