Patchstack has identified 404 vulnerabilities that affect over 1.6 million websites, prompting them to report the issues to the WordPress.org Plugins Team for resolution. The team at WordPress.org will need to address these vulnerabilities to ensure the security of the affected websites and prevent potential cyber attacks.
Reporting plugins to WordPress.org is typically the last option for difficult situations, following Patchstack's inability to get in touch with the vendors. In this instance, a large number of these plugin authors are either unresponsive to messages or have not provided any contact information in their extensions. The vast majority of abandoned plugins impacting over 1.6 million sites have led Patchstack to refer to it as a "zombie plugins pandemic."
In response to the report, the WordPress.org Plugins Team closed over 70% of the plugins. Although the team accepted applications for additional team members in June and welcomed six new sponsored volunteers, they have had difficulty keeping up with the massive backlog of plugins that need to be reviewed. With a 71-day wait time, the backlog of over 1,119 plugins is still growing.
Developers are being urged by Patchstack to provide their contact information in the readme.txt and/or SECURITY.md files for their plugins. The company launched the free-to-join Patchstack mVDP (managed vulnerability disclosure program) project to expedite security issue management. Patchstack verifies the reports that are received, pays the researchers, and forwards the reports to the vendor for resolution.
According to Sveikauskas, we are putting out other lists along these lines for the WordPress.org themes repository as well as repositories devoted to premium goods. Currently, we are handling around 200 more vulnerabilities of a similar nature.
I created Feature Status Check, which is accessible in the plugin directory, in order to address the notification issue. It integrates with the site health page and monitors changes to your plugins and themes, sending out emails when something happens (new versions, repository closures, etc.).
Approve plugin authors rather than plugins. Automate WPCS for every plugin update. Should they not pass WPCS, the plugin will become inaccessible for a while. The plugin reactivates once they expire. The WPCS project is sponsored by WordPress.
Before submitting a plugin to the repository, the plugins team must pass the plugin inspection tool that they have been developing. This covers several of the more frequent infractions of standards in addition to tests for things like security vulnerabilities. We anticipate that by removing a significant number of catches per plugin submission and cutting down on back and forth, this will significantly aid in accelerating the plugin review process once it gets underway in the near future.
We send out advisories to developers who, in our experience, consistently handle security issues improperly. We offer information on which plugins are free to download from those developers, so you might utilize it to exclude them. Visit https://www.pluginvulnerabilities.com/security-advisories-on-wordpress-plugin-developers/ for more information about our advisories.
Visit this link for more information about reporting security flaws in plugins: https://meta.trac.wordpress.org/ticket/6939
0 Comments