Plugin Vulnerabilities

Our weekly update post on what on how our customers are helping to make WordPress plugins more secure is mostly about vulnerabilities that haven't been fixed. A vulnerability in the 300,000+ install Formidable Forms did get fixed this week, though. pluginvulnerabilities.com/2024/02/16/how…

@bgardner @wp_acf @wpengine Can you let the NitroPack team know that they need to address a vulnerability in their plugin? x.com/pluginvulns/st…

Happy to announce we just published ACF 6.3.9 Security Release (@wp_acf), which will be automatically available to users who are @wpengine customers. (Link w/ info in reply.) ⚡️

@getnitropack Also, your website still has a download link to the WordPress plugin directory. It is the "Get the plugin" link. nitropack.io/platform/wordp…

@getnitropack We reached out to you on Friday morning through your security email address about a vulnerability in the WordPress plugin. We still haven't heard back from you.

The NitroPack team has a new solution to ensure NitroPack users receive updates to the WordPress plugin. Please update to the latest version of NitroPack using the steps outlined in our post: support.nitropack.io/en/articles/99… The NitroPack team has been blocked from accessing WordPress.org, which prevents us from releasing updates through WordPress.org. To continue receiving updates, please upgrade to the latest NitroPack version, following the steps outlined in our article linked above. Note: WP Engine and Flywheel hosting customers are unaffected and do not need to manually install this update to continue to receive automatic updates.

How Our Customers Helped Make WordPress Plugins More Secure, Week of March 1 pluginvulnerabilities.com/2024/03/01/how…

AI Helps to Detect Incomplete Security Fix Being Made to 1+ Million Install WordPress Plugin WP File Manager pluginvulnerabilities.com/2024/02/29/ai-…

@jacklynbiggin @WooCommerce @brentmackinnon This is also happened with a security improvement made in version 8.4.0, which included in the changelog for 8.5.0. The entry was: Fix – Remove the potential for a Reflected XSS attack in relation to a dismissable notice in the edit comments screen. #42728

@jacklynbiggin @WooCommerce @brentmackinnon Looking at the old changelog entries, there used to be separately labeling for security fixes. The last time that happened was with version 7.3.0, which came out in January of last year. raw.githubusercontent.com/woocommerce/wo…

@jacklynbiggin @WooCommerce @brentmackinnon Thanks.

@adityaarsharma Has there been a reason giving for limiting the changelog to such a short length?

WordPress has added a limit of 1500 words for README, for most plugins this is okay, but for Elementor Addons with long list of feature this seems highly limiting. #WordPress

@hackinglife7 Maybe you can spend some money making sure your plugins are properly secured before you acquire a plugin. Based on the recently fixed vulnerability in the ThemeIsle SDK caused by basic security failures, it doesn't look like that has already happened.

We're looking again to acquire one WordPress plugin generating between $60k - 150k per year in revenue. Read below on how we're different:

@jacklynbiggin @WooCommerce Just a quick chime in that it isn't great for devs when you are including changelog entries for things that were fixed in a different version. Also, not great when you are not disclosing in the changelog that a fix for security vuln is a security fix. pluginvulnerabilities.com/2024/02/28/woo…

@palmiak_fp @patchstackapp Patchstack isn't actually doing a great job of keeping up vulnerabilities. For example, they warned about this exploitable vulnerability, but told people it had been fixed, when it hasn't. pluginvulnerabilities.com/2024/02/13/hac…

Working at @patchstackapp made my approach toward security even more strict. - I would convert whatever website possible to static - I would pay for @patchstackapp - it's almost impossible to keep up with vulnerabilities That said - I'm not saying #WordPress isn't secure. It's a huge market, with a lot of plugins and a lot of researchers. Core is secure and many plugins are very serious about #security (some less).

WooCommerce Vulnerability Listed as Being Fixed in Upcoming Release Was Already Fixed pluginvulnerabilities.com/2024/02/28/woo…

Authenticated Information Disclosure Vulnerability in Download Manager pluginvulnerabilities.com/2024/02/26/aut…

If WordPress plugin developers want to be proactive, we offer to do security reviews of plugins. (We also offer free help dealing with vulnerabilities found by others.) pluginvulnerabilities.com/wordpress-plug…

We found incomplete fixes with three plugins being used by our customers in the last week. One developer got an additional fix out very quickly, so quickly they didn't fully address the insecurity. The other two haven't released additional fixes. pluginvulnerabilities.com/2024/02/23/how…

One of the reasons there are too many updates for WordPress plugins is that developers are not being proactive about security. Not only are they not getting security reviews to catch issues, but when they are reported to them by others, the fixes are frequently incomplete.

You can sign up for a free trial of our service to see if you are using plugins known to be vulnerable. We currently have data on plugins with at least 8.2 million installs that are known to be vulnerable and still in the WordPress Plugin Directory! pluginvulnerabilities.com/product/subscr…

The developer of Brave Conversion Engine still hasn't fully fixed a previous incomplete fix from November! They fixed the one example we provided of the remaining issue, but didn't resolve any of the others.

Another week, another post about how we are helping make WordPress plugins more secure. This week we caught incomplete vulnerability fixes in Download Manager and Brave Conversion Engine. Unfortunately, they still haven't been fixed. pluginvulnerabilities.com/2024/02/23/how…