{"id":2278,"date":"2015-01-13T16:00:25","date_gmt":"2015-01-13T23:00:25","guid":{"rendered":"http:\/\/www.whitefirdesign.com\/blog\/?p=2278"},"modified":"2015-01-13T16:00:25","modified_gmt":"2015-01-13T23:00:25","slug":"automattics-responsibility-for-the-security-of-wordpress-plugins","status":"publish","type":"post","link":"https:\/\/www.whitefirdesign.com\/blog\/2015\/01\/13\/automattics-responsibility-for-the-security-of-wordpress-plugins\/","title":{"rendered":"Automattic’s Responsibility for the Security of WordPress Plugins"},"content":{"rendered":"

As we have continued to refocus on the security of WordPress plugins due to our work on new plugin that warns of known vulnerabilities in WordPress plugins<\/a>\u00a0the question of who has a responsibility for improving the security of WordPress plugins has come up.\u00a0Relying on the developers of the plugins to insure they are secure doesn’t seem to be working as many of the vulnerabilities we have reviewed are things that are not the result of complex issues, so they could have been prevented with relatively basic security precautions. Since WordPress is a volunteer effort expecting that those volunteers would be responsible for the overall security of third-party software doesn’t see right. But what about the company closely connected with WordPress, Automattic? With a valuation of over billion dollars<\/a> they certainly have the financial wherewithal to bear the burden of some responsibility, but in the past we would have said no since they didn’t seem to have a direct connection with plugins, but as we recently stumbled upon\u00a0they are taking advantage of them for business purposes.<\/p>\n

Recently a reflected cross-site scripting\u00a0(XSS)\u00a0vulnerability<\/a> was discovered in the\u00a0Frontend Uploader plugin<\/a>. After confirming that the vulnerability existed in the most recent version we went looking for a way to contact the developer of the plugin to alert that the vulnerability existed in their plugin. While doing that we came across a page for the plugin at Automattic’s \u00a0Wordpress.com VIP<\/a>, a service<\/a> where you can pay starting amounts of $5,000 a month for hosting and $1,250 for support. It turns out they\u00a0offer\u00a0a number of the plugins<\/a> from the wordpress.org Plugin Directory<\/a> to the customers of their VIP service. They tout those plugins (as partner integration) with this:<\/p>\n

We’ve added 200+ extra features on top of WordPress for everyone on WordPress.com\u2014and just for VIPs, we’ve added the additional plugins below, which can be integrated into your sites with a single-click, so you can take advantage of powerful partner integrations and features without touching a line of code.<\/p><\/blockquote>\n

Their marketing materials<\/a>\u00a0also touts their claimed security (which hopefully has improved\u00a0after the\u00a0major breach they had a few years ago<\/a>):<\/p>\n

\"We<\/p>\n

Based on all of this we certainly think that\u00a0Automattic has a responsibility for improving the security of WordPress plugins since they are getting benefit from them.<\/p>\n

If they are going to live up to that responsibility they have a lot of work to do, as can be seen in this case. After the vulnerability was disclosed in a plugin they are redistributing they don’t appear to have done anything about. As far as we can tell the vulnerability was only fixed after we\u00a0reported the vulnerability to the people running the WordPress.org Plugin Directory (since we couldn’t find a direct contact for the developers of the plugin) and them pulling the plugin pending a fix. While the plugin was gone from the Plugin Directory it was still listed on the WordPress.com VIP website, though we don’t know if they continued to distribute it.\u00a0It doesn’t even look as if people using WordPress.com VIP would know that the plugin had a vulnerability fixed since the changelog<\/a> makes no mention of the new version, 1.9.3, or the security fix in it (which unfortunately is an all to common problem when plugins receive security fixes<\/a>).<\/p>\n","protected":false},"excerpt":{"rendered":"

As we have continued to refocus on the security of WordPress plugins due to our work on new plugin that warns of known vulnerabilities in WordPress plugins\u00a0the question of who has a responsibility for improving the security of WordPress plugins has come up.\u00a0Relying on the developers of the plugins to insure they are secure doesn’t … Continue reading “Automattic’s Responsibility for the Security of WordPress Plugins”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[],"class_list":["post-2278","post","type-post","status-publish","format-standard","hentry","category-wordpress-plugins"],"_links":{"self":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2278","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/comments?post=2278"}],"version-history":[{"count":2,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2278\/revisions"}],"predecessor-version":[{"id":2281,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2278\/revisions\/2281"}],"wp:attachment":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/media?parent=2278"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/categories?post=2278"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/tags?post=2278"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}