1+ Million Install WordPress Plugin Has Been Using an Outdated Known Insecure...
Last year we created the Plugin Security Scorecard tool to help the WordPress community to have a better understanding of the security of plugins and hopefully to get better practices more widely...
View ArticleTwo-Factor Authentication (2FA) Won’t Stop an Attacker From Using Their Own...
Two-Factor Authentication (2FA) Won’t Stop an Attacker From Using Their Own WordPress Account to Engage in Malicious ActivityTwo-factor authentication (2FA) can be useful for securing WordPress...
View ArticleClik here to view.
300,000 Install WordPress Plugin That Hasn’t Updated Insecure Library in 21...
A week ago, someone checked the 300,000 install WordPress plugin FluentSMTP through our Plugin Security Scorecard. That identified multiple issues with the plugin: [Read more]
View ArticleWordPress Plugins Can Include a Lot of Software That the Plugin’s Developer...
How much do you consider a WordPress plugin developer’s handling of security of their plugins when choosing to use or not use a plugin? Probably not much, considering even if you wanted to, your access...
View ArticlePlugin That Patchstack Is Claimed to Ensure Is Secure Contains an Additional...
Last week we talked about two popular WordPress plugins that had been run through our Plugin Security Scorecard and identified as containing a rather out of date version of third-party libraries, which...
View ArticleOur Plugin Security Scorecard Now Supports Checking ClassicPress Plugins
While the WordPress fork ClassicPress has gotten renewed attention with what has been going on with WordPress recently, we have had efforts related to the security of its plugins for years. Back in...
View ArticleNew Plugins From Awesome Motive and Brainstorm Force Continue Developers’...
We release advisories warning about WordPress plugin developers who have a repeated track record of failing to handle security well. A reasonable question to ask is if a backward-looking determination...
View ArticleWordPress Plugin Review Team Reviews Failing to Catch Basic Security Failure...
At the end of last year, one of the team reps for the team running the WordPress plugin directory provided an assessment on what the team had been up to. It incredulously credited one past member of...
View ArticleClik here to view.
New Insecure WordPress Plugin Marketed With Fake Norton Secured and (Retired)...
Yesterday, we reported on a new plugin from a WordPress plugin developer Brainstorm Force with a long track record of poor security, unsurprisingly was also insecure. One thing that we noticed while...
View ArticlePatchstacks’s Vulnerability Disclosure Program (VDP) Goes Against Important...
In October, the European Union approved the Cyber Resilience Act (CRA) after two years of development. It seems well thought out, probably best shown with the authors understanding the harm that...
View ArticleOpenSSF Scorecard’s Developers Are Not Providing Evidence That The WordPress...
As described by the developers, the OpenSSF Scorecard “assesses open source projects for security risks through a series of automated checks” to “help users as they decide the trust, risk, and security...
View ArticleClik here to view.
Patchstack Apparently Didn’t Take Basic Step to Get Unfixed Exploitable...
Last week WordPress security provider Patchstack disclosed what they claimed was an unfixed exploitable vulnerability in a WordPress theme and one in a related WordPress plugin. We say claim, because...
View ArticleA Bug Bounty Program Doesn’t Mean You Take Security Seriously
The security industry is really good at doing anything other than what actually makes the most sense to improve the poor state of security, which goes a long way to explaining why things are so bad...
View ArticleWordPress Plugin Developers Directing Vulnerabilities Reports To Patchstack...
Earlier in the week, we talked about how the developers of a security solution were failing to show the WordPress community (and their wider audience) that their scores were providing a meaningful and...
View ArticleDevelopers of Beaver Builder Didn’t Disclose They Were Updating Known...
Over the past couple of weeks we have been posting about popular WordPress plugins that are using outdated versions of third-party libraries that have been disclosed by the developers of the libraries...
View ArticlePatchstack Admits to Failing to Basic Due Diligence With Vulnerability...
Last May, we looked into a claim from Automattic’s WPScan that a vulnerability in the 400,000+ install WordPress plugin Kadence Blocks had been fixed in its implementation of WordPress blocks. They...
View ArticleWordPress (and Open Source In General) Have a Big Problem With a Lack of...
Looking back at some things while preparing a post about a WordPress security provider misleading people about the European Union’s Cyber Resilience Act, we ran across a letter that was put out by...
View ArticlePlugin Security Scorecard January Results
January was the sixth full month our Plugin Security Scorecard was available. A fair amount of plugins were checked. A total of 148 plugins were checked last month. With 7 of those plugins being...
View ArticleCVE Actually Does Trust Open Source Implicitly and That Is a Problem
Last week the Security Developer-in-Residence at the Python Software Foundation Seth Michael Larson said he loved an article from Open Source Security. The article touched on an important issue with...
View ArticlePatchstack Isn’t Actually Patching Vulnerabilities
You would reasonably think that a security company named Patchstack would be focused on patching security vulnerabilities, but it turns out they are not. In fact, they are actually making it harder for...
View Article