It’s a Good Plugin, but is lacking Transparency
-
Like many others here, I had a website which was compromised as a result of a security vulnerability in this Plugin. As a Free Open Source project, I can’t really blame the developers for the vulnerability – as a user, I have the responsibility of ensuring the Plugins I use are secure, and I might have been able to find the vulnerability and offered a patch if I had dedicated enough time to looking for it. So I’m not going to point a finger at the dev team here and blame them – I think we all need to share that responsibility.
But what I am disappointed in is how the vulnerability and patch were communicated. WordPress needs to have a way for developers to flag high priority security patches to their users, to ensure that they are given the urgent attention they deserve, and aren’t lost in the noise of other Plugins making trivial changes in their releases. I had no idea that I was running a vulnerable version of the Plugin until I was attacked. Each WordPress install routinely runs checks to see whether updates are available, and each install knows the email addresses of the Administrators – if an update was flagged as critical, then my install would be able to see that flag, and email all my Admin users alerting them to the release.
Also, this Plugin’s Changelog makes no mention of which release patched the vulnerability published under CVE-2023-6875. I presume v2.8.8 was the fix, but there is no transparent messaging that is the case.
- The topic ‘It’s a Good Plugin, but is lacking Transparency’ is closed to new replies.
