{"id":2387,"date":"2015-03-12T15:17:32","date_gmt":"2015-03-12T21:17:32","guid":{"rendered":"http:\/\/www.whitefirdesign.com\/blog\/?p=2387"},"modified":"2015-03-12T15:17:32","modified_gmt":"2015-03-12T21:17:32","slug":"auttomattic-sponsored-wordpress-plugin-pods-still-hasnt-fixed-publicly-known-security-vulnerability-after-two-months","status":"publish","type":"post","link":"https:\/\/www.whitefirdesign.com\/blog\/2015\/03\/12\/auttomattic-sponsored-wordpress-plugin-pods-still-hasnt-fixed-publicly-known-security-vulnerability-after-two-months\/","title":{"rendered":"Auttomattic Sponsored WordPress Plugin Pods Still Hasn&#8217;t Fixed Publicly Known Security Vulnerability After Two Months"},"content":{"rendered":"<p>In discussing how the security of WordPress plugins could be improved\u00a0we have put forward that Automattic,\u00a0the company closely connected with WordPress, <a title=\"Automattic\u2019s Responsibility for the Security of WordPress Plugins\" href=\"http:\/\/www.whitefirdesign.com\/blog\/2015\/01\/13\/automattics-responsibility-for-the-security-of-wordpress-plugins\/\">should have some responsibility for that<\/a>.\u00a0With a <a href=\"http:\/\/blogs.wsj.com\/venturecapital\/2014\/05\/05\/automattic-valued-at-1-16-billion-says-it-doesnt-need-ipo\/\">valuation of over billion dollars<\/a> they certainly have the financial wherewithal to bear the burden of some responsibility. Shortly after putting forward that idea that we came across a <a href=\"http:\/\/packetstormsecurity.com\/files\/129890\/WordPress-Pods-2.4.3-CSRF-Cross-Site-Scripting.html\">security advisory for multiple vulnerabilities in Pods<\/a>, a <a title=\"Poor Security In Automattic Sponsored WordPress Plugin\" href=\"http:\/\/www.whitefirdesign.com\/blog\/2015\/01\/30\/poor-security-in-automattic-sponsored-wordpress-plugin\/\">plugin that Automattic\u00a0sponsors<\/a>.<\/p>\n<p>When we checked on the vulnerabilities to add them to <a href=\"https:\/\/wordpress.org\/plugins\/plugin-vulnerabilities\/\">Plugin Vulnerabilities plugin<\/a> we found that despite the advisory saying that they were fixed in version 2.5, that in fact two\u00a0reflective cross-site scripting (XSS) vulnerabilities listed still existed. Three days after the advisory was put out,\u00a0January 15, we notified the Pods developers that vulnerabilities still existed. We promptly received a reply from them, but it didn&#8217;t seem like they really understood the situation.<\/p>\n<p>A week later versions 2.5.1 and 2.5.1.1 were released, neither of which addressed the security vulnerabilities.<\/p>\n<p>On February 5 and 9 we received emails from the\u00a0developers\u00a0that the vulnerabilities would be fixed in version 2.5.2. That version has yet to be released and it has now been two months that they have knowingly left the vulnerabilities in the plugin. Maybe this will be a wake-up call to Automattic that plugin security needs to be taken more seriously and that they can start playing a constructive role by\u00a0improving the security of plugins they sponsor.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In discussing how the security of WordPress plugins could be improved\u00a0we have put forward that Automattic,\u00a0the company closely connected with WordPress, should have some responsibility for that.\u00a0With a valuation of over billion dollars they certainly have the financial wherewithal to bear the burden of some responsibility. Shortly after putting forward that idea that we came &hellip; <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2015\/03\/12\/auttomattic-sponsored-wordpress-plugin-pods-still-hasnt-fixed-publicly-known-security-vulnerability-after-two-months\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Auttomattic Sponsored WordPress Plugin Pods Still Hasn&#8217;t Fixed Publicly Known Security Vulnerability After Two Months&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,32],"tags":[42,43],"class_list":["post-2387","post","type-post","status-publish","format-standard","hentry","category-bad-security","category-wordpress-plugins","tag-automattic","tag-pods"],"_links":{"self":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2387","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/comments?post=2387"}],"version-history":[{"count":3,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2387\/revisions"}],"predecessor-version":[{"id":2390,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2387\/revisions\/2390"}],"wp:attachment":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/media?parent=2387"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/categories?post=2387"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/tags?post=2387"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}