The Good and Bad of Unexplained Change to WordPress Plugin Directory That...
Yesterday, the team running the WordPress Plugin Directory announced they had recently made a significant change to the directory. No explanation was given for why it was done. Nor why it was done...
View ArticlePopular WordPress File Manger Plugins Contain Third-Party Library With...
Last week three WordPress file manager plugins were checked through our Plugin Security Scorecard tool. An issue identified by the tool in each plugin was flagged for us to review. That issue being...
View ArticleDeveloper of 1+ Million Install WordPress Plugin Warned Multiple Times of...
Yesterday, we covered our finding that the 1+ million install WordPress plugin WP File Manager contains a known vulnerable version of the JavaScript library jQuery UI. While following up on another...
View ArticlePlugin Security Scorecard February Results
February was the seventh full month our Plugin Security Scorecard was available. A fair amount of plugins were checked. A total of 86 plugins were checked last month. With 4 of those plugins being...
View ArticleCleanTalk Claims to Vet WordPress Plugins for Insecure Dependencies While...
Last week we posted about the three most popular file manager plugins containing a vulnerable version of the jQuery UI library. The inclusion of the vulnerable version of that library was detected by...
View ArticleCVE Rule Allows MITRE to Hide When They Are Failing to Provide Timely...
The CVE system is treated as a reliable source of information on vulnerabilities, both in WordPress plugins, but also more broadly. It isn’t. It also is failing with a more basic element, actually...
View ArticleWordPress Plugin Review Team Failing to Enforce Rule, Which is Leading to...
As part of our work to expand the ability for our Plugin Security Scorecard to identify security issues in WordPress plugins, we have been increasing the number of third-party libraries it can detect...
View ArticleWordPress Plugin Developer Security Advisory: CleanTalk
One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing...
View ArticleDeveloper Outsourcing Security Reporting to Bugcrowd Has Left Insecure...
Last week someone checked a WordPress plugin through our Plugin Security Scorecard, which flagged the plugin for a variety of issues: [Read more]
View ArticleVulnerability Disclosure Programs and Bug Bounties Are Being Used for the...
Last month DEF CON and the Cyber Policy Initiative at the University of Chicago at released the inaugural Hackers’ Almanack, which “curate[ed] the top technical discoveries from DEF CON that have...
View Article