{"id":2343,"date":"2015-03-02T14:08:14","date_gmt":"2015-03-02T21:08:14","guid":{"rendered":"http:\/\/www.whitefirdesign.com\/blog\/?p=2343"},"modified":"2015-03-02T14:08:14","modified_gmt":"2015-03-02T21:08:14","slug":"many-wordpress-plugin-vulnerabilities-have-not-been-fixed","status":"publish","type":"post","link":"https:\/\/www.whitefirdesign.com\/blog\/2015\/03\/02\/many-wordpress-plugin-vulnerabilities-have-not-been-fixed\/","title":{"rendered":"Many WordPress Plugin Vulnerabilities Have Not Been Fixed"},"content":{"rendered":"

As of today’s release, our Plugin Vulnerabilities plugin<\/a> includes entries\u00a0for 200 security vulnerabilities that have existed in WordPress plugins. While that is far from all of the vulnerabilities out there, it does include a good mix of vulnerabilities. So far we have focused on adding newly discovered vulnerabilities, vulnerabilities that we are seeing exploit attempts for, and vulnerabilities from the archives of security researchers. We have included some stats we collected on those vulnerabilities below.<\/p>\n

One stat\u00a0stands out, over a quarter of the vulnerabilities – 54 of 200 – have not been fixed. A few of these were only recently discovered or the developer was only recently informed of them (all too often no one bothers to inform the developer and this is something that our work on the plugin has been rectifying), but for\u00a0the vast majority\u00a0there has been ample time and notice to the developer so they should have been fixed by now. This is a big problem because simply keeping plugins up to date won’t protect you if the latest version of the plugin has a known security vulnerability that can be exploited.<\/p>\n

Right now what happens when a vulnerability isn’t fixed is that the plugin will be removed from the WordPress.org Plugin Directory until it is fixed, assuming the people running the Plugin Directory are informed of the issue. That does nothing for any websites that already have\u00a0the plugin installed though. It is a problem we have been highlighting for three years now<\/a>, without getting a solution. It also has been over two years since there was indication that a solution was being worked on<\/a>. We hope that it won’t take another year to finally get fixed. In the meantime you can use our Plugin Vulnerabilities plugin<\/a> to get alerted to known vulnerabilities in installed plugins and our No Longer in Directory plugin <\/a>to find out what installed\u00a0plugins have been removed from the WordPress.org Plugin Directory.<\/p>\n

Plugin Vulnerability Stats As of March 2, 2015<\/h2>\n