{"id":2367,"date":"2015-03-06T15:57:00","date_gmt":"2015-03-06T22:57:00","guid":{"rendered":"http:\/\/www.whitefirdesign.com\/blog\/?p=2367"},"modified":"2015-03-06T15:57:00","modified_gmt":"2015-03-06T22:57:00","slug":"we-have-now-helped-get-16-wordpress-plugin-vulnerabilities-fixed","status":"publish","type":"post","link":"https:\/\/www.whitefirdesign.com\/blog\/2015\/03\/06\/we-have-now-helped-get-16-wordpress-plugin-vulnerabilities-fixed\/","title":{"rendered":"We Have Now Helped Get 16 WordPress Plugin Vulnerabilities Fixed"},"content":{"rendered":"<p>It has now been a little over three months since we introduced our <a href=\"https:\/\/wordpress.org\/plugins\/plugin-vulnerabilities\/\">Plugin Vulnerabilities plugin<\/a> amid our renewed effort to improve the security of WordPress plugin and it seems like a good time to provide on what we have accomplished so far.\u00a0For years we have discussing the problem that many publicly disclosed <a title=\"24 More WordPress Plugins With Publicly Known Vulnerabilities Were in Plugin Directory\" href=\"http:\/\/www.whitefirdesign.com\/blog\/2012\/03\/15\/24-more-wordpress-plugins-with-publicly-known-vulnerabilities-were-in-plugin-directory\/\">vulnerabilities existed in the current version\u00a0of WordPress plugins and that those plugins were still available on the WordPress.org Plugin Directory<\/a>. That obviously is bad sign for the overall security of WordPress plugins since making sure that known vulnerabilities get fixed is a low rung of making sure that plugins are secure. In the past we hadn&#8217;t kept track of how many of these vulnerabilities we had some part in getting fixed, but when we started working on the new plugin we started tracking that. This week two more of the plugins got fixes bringing the total to 16 vulnerabilities fixed in as many plugins. Developers of two more plugins have indicated that vulnerabilities in their plugin will be fixed in upcoming releases.<\/p>\n<p>One of the vulnerabilities fixed this week gives\u00a0an indication of\u00a0how poor the situation still is years after we first noticed it. Back on September 1 a <a href=\"https:\/\/vexatioustendencies.com\/wordpress-plugin-vulnerability-dump-part-1\/\">vulnerability was publicly disclosed in the\u00a0Easy Media Gallery plugin<\/a>, which has 10,000+ active installs. The person disclosing the vulnerability decided not to inform the developers beforehand and it would appear no one else bothered to either considering that a fix was released within two day of us informing them on Monday. It wasn&#8217;t a case that no one else saw the post as there are several comments and <a href=\"https:\/\/vexatioustendencies.com\/wordpress-plugin-vulnerability-dump-part-2\/#comments\">two follow<\/a> <a href=\"https:\/\/vexatioustendencies.com\/wordfence-v5-2-3-2-stored-xss-insufficient-logging-throttle-bypass-exploit-detection-bypass\/#comments\">up posts<\/a> have comments from people complaining the discoverer is not informing developers of the vulnerabilities.<\/p>\n<p>The <a href=\"https:\/\/vexatioustendencies.com\/wordpress-plugin-vulnerability-dump-part-1\/#comments\">first\u00a0comment<\/a>\u00a0on that post ties into another troubling issue that we have seen in the vulnerabilities fixed. The commentor\u00a0mentions that they would inform the developers of WPScan, which they describe as a &#8221; black box WordPress vulnerability scanner&#8221;, of the vulnerabilities. The commentor <a href=\"https:\/\/github.com\/wpscanteam\/wpscan\/issues\/677\">did in fact do that<\/a>. \u00a0It would appear that WPScan folks didn&#8217;t inform the developer of the vulnerability either. That certainly wouldn&#8217;t be the first time, as previously discussed in another situation <a title=\"WPScan and Sucuri Put WordPress Websites at Risk\" href=\"http:\/\/www.whitefirdesign.com\/blog\/2014\/12\/19\/wpscan-and-sucuri-put-wordpress-websites-at-risk\/\">they disclosed\u00a0a serious vulnerability in a plugin but didn&#8217;t bother to inform the developer<\/a>, which meant that like this vulnerability, it wasn&#8217;t fixed. We also found that <a title=\"Wordfence and WPScan Acted Irresponsibly With WordPress Plugin Vulnerability\" href=\"http:\/\/www.whitefirdesign.com\/blog\/2014\/12\/18\/wordfence-and-wpscan-acted-irresponsibly-with-wordpress-plugin-vulnerability\/\">they put vulnerabilities in their database, but don&#8217;t inform the developers of them<\/a>, so that people with malicious intent are aware of vulnerabilities but everyone else is left vulnerable.<\/p>\n<p>While just informing the developers of the vulnerabilities can in many cases get the vulnerability fixed quickly we have found that in other cases that isn&#8217;t enough. For example, in the <a title=\"The Security Risks That Could Be Lurking in Your WordPress Backup Plugin\" href=\"http:\/\/www.whitefirdesign.com\/blog\/2014\/12\/10\/the-security-risks-that-could-be-lurking-in-your-wordpress-backup-plugin\/\">case of the Xcloner plugin<\/a> it required the Plugin Directory having removed the plugin, after we reported it to them, for the developer to finally fix the vulnerability. In other cases we have found that despite discoverer of the vulnerability and the developer of the plugin saying the vulnerability had been fixed, it actually wasn&#8217;t. But our checking, done while determining what versions are vulnerable when adding the vulnerability to the <a href=\"https:\/\/wordpress.org\/plugins\/plugin-vulnerabilities\/\">Plugin Vulnerabilities plugin<\/a>, have led to the vulnerabilities actually getting fixed.<\/p>\n<p>If you\u00a0run across\u00a0a report of a vulnerability in the current version of a WordPress plugin please make sure to inform the developer of the plugin and or <a href=\"http:\/\/codex.wordpress.org\/FAQ_Security#Where_do_I_report_security_issues.3F\">the people running the Plugin Directory<\/a>. You can also let us know by leaving a message in the <a href=\"https:\/\/wordpress.org\/support\/plugin\/plugin-vulnerabilities\">support forum<\/a>\u00a0for Plugin Vulnerabilities\u00a0or sending an email to <a href=\"mailto:pluginvulnerabilities@whitefirdesign.com\">pluginvulnerabilities@whitefirdesign.com<\/a>, which\u00a0will allow us to add the vulnerability to our plugin and make sure that the vulnerability is handled properly.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It has now been a little over three months since we introduced our Plugin Vulnerabilities plugin amid our renewed effort to improve the security of WordPress plugin and it seems like a good time to provide on what we have accomplished so far.\u00a0For years we have discussing the problem that many publicly disclosed vulnerabilities existed &hellip; <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2015\/03\/06\/we-have-now-helped-get-16-wordpress-plugin-vulnerabilities-fixed\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;We Have Now Helped Get 16 WordPress Plugin Vulnerabilities Fixed&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[],"class_list":["post-2367","post","type-post","status-publish","format-standard","hentry","category-wordpress-plugins"],"_links":{"self":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2367","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/comments?post=2367"}],"version-history":[{"count":2,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2367\/revisions"}],"predecessor-version":[{"id":2369,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2367\/revisions\/2369"}],"wp:attachment":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/media?parent=2367"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/categories?post=2367"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/tags?post=2367"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}