Reporting Vulnerable Plugin

pluginvulns · June 14, 2021, 6:13pm

We recently ran the WordPress plugins included in ClassicPress’ plugin directory through a web-based automated security tool of ours and detected a couple with minor, but easy to detect, vulnerabilities. Both vulnerabilities had existed since their original version of their respective plugins, which isn’t a great sign for WordPress’ handling of the security of plugins, since new plugins are supposed to be reviewed for security. One of the vulnerable plugins was promptly fixed, but with the other, we haven’t even heard back from the developer. So in line with our reasonable disclosure policy, we have now disclosed that vulnerability. The ClassicPress Directory doesn’t look to have any information on how to report an issue like that in a plugin, so we are not sure how to address that with you.

We can also provide your team handling your plugin directory access to that tool if you start checking over the security of plugins you are adding to that.

viktor · June 14, 2021, 6:37pm

@wadestriebel is the lead on the plugin directory. You can PM him with details here in the forum, just click on his profile.

wadestriebel · June 15, 2021, 8:39pm

Ya if you DM me we can chat, I guess since it is a WP plugin that is listed as Works With we may just chose to hide it for now while we work on a proper policy.

pluginvulns · June 15, 2021, 5:16pm

We don’t have the option to send a private message. Maybe your forum setup limits newer accounts from using that.

wadestriebel · June 15, 2021, 8:38pm

I DM’d you, you should have a green notification over your avatar in the top right

system · June 17, 2021, 8:38pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.