As we work to expand the capabilities of our new Plugin Security Scorecard, one of our focuses is providing better security information on libraries included in plugins. That is already helping to identity WordPress plugins that are using libraries with known vulnerabilities. Earlier this week, we noted that a plugin with 600,000+ installs was still using a vulnerable version of library 17 months after an update was released. In that situation, we found that the developer had not released a security advisory through GitHub project for the vulnerability. With another library, the developer recently released a couple of advisories and we found that several fairly popular plugins are using an affected version of the library.
The library is PhpSpreadsheet, and the advisories were released on August 28. The plugins are all using version 1.x of the library and update for that was released on September 2. [Read more]