The Security Industry Isn’t Taking Responsibility for the Poor State of...
The massive outage caused by a faulty update by the equally massive security company Crowdstrike should be leading to a lot of soul searching in the security industry, but based on reporting from a...
View ArticleThe Plugin Security Scorecard Helps to Identify Insecure WordPress Security...
While our new Plugin Security Scorecard provides security grades for all types of WordPress plugins, there is an extra focus on security plugins. As security plugins often are as much of a problem for...
View ArticleWordPress Plugin Security Review: Open Graph
Before we start using a new WordPress plugin on our website, we do a security review of it, which led to us doing one for Open Graph. If you want a security review of plugins you use, when you become a...
View ArticleUnaddressed WordPress Security Issue Behind Recent “Critical” Vulnerability...
Earlier this week, the WordPress security provider Wordfence released a post about a claimed “critical” vulnerability found in a WordPress plugin with 100,000+ installs. In that post they made this...
View ArticleWordPress Documentation Doesn’t Warn About Security Risk of maybe_unserialize()
Last week we looked at an insecure WordPress function, maybe_unserialize() that was part of the cause of a “critical” vulnerability that was receiving press coverage. We noted a couple of troubling...
View ArticleWordfence Security and Solid Security Developers Not Supporting Standard to...
In a recent post on the WordPress security provider Wordfence’s blog, they were claiming their “mission is to Secure the Web.” If you understand their business model this rings hollows, as what they...
View ArticleWordfence Caused 18 Day Delay in Developer Being Notified of WordPress Plugin...
One of the more troubling things going on with our competitors in providing information about vulnerabilities in WordPress plugins is how those security providers are trying to direct vulnerability...
View ArticleWordPress Plugins Failing to Properly Uninstall Leads to Sensitive...
We recently completed a security review of a WordPress plugin we were planning to use on our website. We ended up not using the plugin because of an issue unrelated to the security review. While...
View ArticleWordPress Plugin Security Review: Neznam Atproto Share
Before we start using a new WordPress plugin on our website, we do a security review of it, which led to us doing one for Neznam Atproto Share. (We ended up not using the plugin for a reason unrelated...
View ArticlePlugin Security Scorecard August Results
August was the first full month our Plugin Security Scorecard was available. A fair amount of plugins were checked. A total of 144 plugins were checked last month. With 35 of those plugins being...
View ArticleWordPress Plugin Security Review: Profile Builder
For our 44th security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin Profile Builder. If you are not yet a customer of the service, once you sign up for the...
View ArticleClik here to view.
It’s Very Common For Libraries Used in WordPress Plugins to Not Have a...
Yesterday, we noted in a post that a third-party library used in a very popular WordPress plugin didn’t have any listed security advisories in its GitHub project despite the developing having...
View ArticleWordPress Plugins With at Least 150,000+ Installs Using Versions of...
As we work to expand the capabilities of our new Plugin Security Scorecard, one of our focuses is providing better security information on libraries included in plugins. That is already helping to...
View ArticleWordPress Plugin Security Review: Download Monitor
For our 45th security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin Download Monitor. If you are not yet a customer of the service, once you sign up for the...
View ArticleAn Alternative to the WordPress Plugin Directory’s Poor Search Results
As part of working on our new Plugin Security Scorecard, we are categorizing plugins that are being graded, so that people can see how similar plugins compare. And possibly find a replacement plugin...
View ArticleWordPress Plugin Review Team Returns Another Known Vulnerable Plugin to...
We are now over a year into a largely new team running the WordPress Plugin Directory. On one key issue, the new team is failing just like the old team. That is allowing known vulnerable plugins back...
View ArticlePositive Reviews of WordPress Security Plugin Are Contradicted by Falling...
In June of last year, the WordPress security plugin Solid Security had 1+ million active installations according to data on the WordPress website. Currently, the install count is down to 800,000+...
View ArticleWordPress Continues to Fail to Properly Address Malicious Code Loaded on...
In December 2022, an update was released for the WordPress plugin Bulk Delete Comments, which caused a JavaScript file with malicious code from a website to be loaded on to the admin area of websites...
View ArticlePatchstack’s CEO Indirectly Admits Their Vulnerability Disclosure Program...
Earlier this year when we were trying to figure how to contact the developer of Kadence Blocks plugin, which is a part of StellarWP, to alert them they had failed to fix a vulnerability in the plugin,...
View ArticleClik here to view.
WordPress Lacks Method to Verify That Plugin Is Truly a First-Party...
First-party WordPress plugins are not a new idea. Here is a post about the head of WordPress, Matt Mullenweg, talking about them, referring to them as canonical plugins, in 2009. And doing it again in...
View Article