hbuchwald
Forum Replies Created
-
Thanks, GreatBlakes! And just to leave no room for misunderstandings, the other 3 issues that are not XSS did not influence the risk score. We have disabled code quality issues for the score but enabled them for the results that the maintainers can see.
> Relying on a black box security score to determine whether you should use a plugin doesn’t seem like a good idea in general.
I agree to a certain degree. That is the reason why the maintainer of the plugin has access to the full results. I would only think about abandoning a plugin with a high score if it was already abandoned by its maintainer. This is also what we recommend to do in the info text on CodeRisk.
> In this case not only does the company behind it not have a great understanding of security based on what we have seen in the past
I am not sure where you get this from but we have found many critical vulnerabilities in large applications and plugins in the last years. You can find some of them here https://www.ripstech.com/security-vulnerability-database/ but the smaller ones (which are many more) are not even listed.
> In regards to database queries, in our checking we only found that there were only five that could run (one more is commented out) and all them look to be properly secured using prepared statements, so there doesn’t appear to be any issue in that regard or any reason to change the plugin’s usage of database queries.
Yes, the reason for that is that it was not a SQL injection that was discovered. And the finding does look valid to me. We will create a PR with a fix next week.
Also, your blog post is full of misinformation, pluginvulnerabilities. CodeRisk might not have picked up a vulnerability, that is a possibility, we also write that on the site, but this does not lower the significance of a high score. On the other hand we have found many real vulnerabilities in WordPress plugins that are not picked up by your tool. Does that mean it is completely useless?
You can also compare the risk timeline of CodeRisk to public vulnerabilities that are published on https://wpvulndb.com/ and you will see that most of the time (not always!) the risk score decreases if a vulnerability was found and fixed.