We recently completed a security review of a WordPress plugin we were planning to use on our website. We ended up not using the plugin because of an issue unrelated to the security review. While working on the security review, we ran into an issue that hasn’t been checked for as a part of our security reviews, but in hindsight, is something that should be checked on. It turns out that it is an issue that impacts many WordPress plugins, including a couple of plugins with 10+ million installs.
We will be releasing the results of the review once the developer has had a chance to respond to the issues we found. So without getting in to the specifics of the issue in the plugin, what we found was that the plugin stores sensitive information as WordPress options (settings) and doesn’t remove it when the plugin is uninstalled. The sensitive information are credentials for an API. Not only is that a security issue, it goes against the “basics” of how WordPress plugins are supposed to operate. The Uninstall Methods section of the Plugin Handbook states that “When your plugin is uninstalled, you’ll want to clear out any plugin options and/or settings specific to the plugin, and/or other database entities such as tables.” It also defines when plugin is uninstalled: “A plugin is considered uninstalled if a user has deactivated the plugin, and then clicks the delete link within the WordPress Admin.” [Read more]