We have started doing monitoring of the plugins in the ClassicPress Plugin Directory to try proactively catch serious vulnerabilities as they are introduced in to plugins. This is similar to monitoring we already do of the WordPress Plugin Directory, which has caught quite a few serious vulnerabilities. Of the plugins we could check, we didn’t find any serious issues so far, but running them through a more expansive check, we found a couple of with less serious security issues. We have notified the developers of those plugins about those issues.
We did run into a couple of issues. First, not all of the entries provide download links for the zip of the plugin, which is something that is a known issue, though it doesn’t appear to have been fully resolved. The other being that when requesting listing pages not through a web browser, they only show plugins that are “Developed for CP” and not “Works with CP”. Is there some addition to the URL that would include those or is there some other method of getting a list of the download links for the plugins in the directory?
This happens when a repo doesn’t have any tagged releases. We will want to flag those though as they will run into issues as we start building out the core functionality.
We are working on an API endpoint that will be required to install plugins from core that will need to support this. However, right now any plugins listed as “Works With” are hosted on the WP Plugin Directory.
For the “Works with CP” plugins, the issue we have is that the listings pages in the directory don’t list those if you request a listing page, say https://directory.classicpress.net/plugins?page=2, only the “Developed for CP” plugins. If you are visiting the directory in a web browser, there is option to show those, but if you just requesting the pages themselves, there doesn’t seem to be an option to have those shown as well. Is there not an additional URL parameter or some other URL that causes those to be shown as well?
There isn’t currently, we hot swap the page content. We can definitely look at supporting a URL parameter though. I will see if I have time this week to add one to the next deploy
@pluginvulns we have released the first version of the API for the directory.
Endpoints are as follows: /api/plugins returns paginated list of all published plugins /api/plugins/{slug} returns details about the specific plugin /api/developers returns paginated list of all published developers /api/developers/{slug} returns details about the specific developer and all their plugins
