Note: In this article I am talking about WordPress.org, the open source version of WordPress, not the hosted WordPress.com.
What is this about?
PluginVulnerabilities (PV) is a WordPress security service which (for a price) will check WordPress plugins for security vulnerabilities with prices starting from $250. I have no issue with this, this is a service which is needed to make sure products released into the public are as secure as they can be. PV do a great job of finding security issues in plugins but how PV are disclosing them, is where the issues start.
What have they done?
When PV find a security issue in a plugin (without being paid to do the review) they would go on the WordPress.org forums and post the security vulnerability on the very public forums while also promoting their review service. They ultimately got banned by the WordPress.org forum management team for spamming and not disclosing security issues responsibly. After having their main account banned, they kept up their methods by creating hundreds of new usernames to publish security vulnerabilities on the forums. This method ultimately got them banned permanently from the forums.
Responsible Disclosure
When a security reviewer finds an issue in software, they would either contact the developers directly or use a service like HackerOne (HO lets you get paid for disclosing security issues). This is called 'responsible disclosure' which lets the developers of the software release a fix before the issue can be used by persons with ill intent. Unfortunately PV have no intention of doing their disclosures responsibly so were using these security issues to promote their service(s).
What is the problem?
WordPress itself runs roughly 75 million websites, each website can install any plugin they like, a plugin could be in use on millions of websites. If a security issue is made public before it can be fixed, this can lead to potentially millions of websites left vulnerable to those with ill intent to take control of websites to steal data, inject malware or redirect users to nefarious websites. The implications of this could be huge for a company who uses Woocommerce to run their ecommerce store or run a high traffic website.
What are PV doing wrong?
What PV are doing isn't illegal but it's immoral, they are releasing security vulnerabilities to the public domain to embarass plugin developers into using their review service. By releasing the vulnerabilities before giving the developers time to fix the issue, they are giving developers no time to protect their users websites. On the 21st March, PV released a security vulnerability on their blog, within a few hours sites were being attacked using the methods in their post, they are actively giving people with ill intent access to attack WordPress websites. On the bottom of their "disclosure" they use the following wording:
*To make sure a plugin you are using or considering using has been properly secured you get a complete security review of it from us."
They are using security issues within open source plugins to promote their paid services while allowing innocent website owners to potentially lose their livelyhoods and be prosecuted by law enforcement because PV don't want to followi recommended 'responsible disclosure'.
Is there a solution?
Ultimately no, you can mitigate risks of security issues by installing a firewall (either through your webhost or a separate security company), a firewall can prevent attacks and be an extra layer of protection but unless the firewall knows of the attack method, it may not be able to block everything. There are WordPress security plugins which actively monitor and protect websites from new attacks, such as Sucuri and Wordfence but even these aren't 100% safe. Until every developer can code to not make mistakes in their code, vulnerabilities will happen.
PV would actually be giving themselves a better reputation if they responsibly disclosed their findings, plugin developers would be more interested in using a service from a company who has actively helped them secure their code. Because of their stance on how they disclose vulnerabilites, PV have and will be vilified for the way they act in the name of promoting their service(s). PV offer something the WordPress eco-system needs and plugin developers would use but they are doing the worst possible job of getting users on board.
Oldest comments (2)
Thanks for the insights!
I got to know about PV just the other day when I read a credit to them in the changelog for this plugin, wordpress.org/plugins/widget-logic...
Apart from the issues you point out above. For a site owner, is their service safe to use and useful?
As I understand it you install a plugin and it compares every x hour the plugin name+version of installed plugins with PV:s database of vulnerable plugins. You get an email alert if a plugin you are using is known to be vulnerable. They even say they somehow help you to protect yourself until the vulnerability is properly fixed. I guess you get access to a patched version of the plugin.
Here's more:
medium.com/@xorloop/wordpress-secu...