Twenty-six disclosures this week, with ten issues unfixed.
The most concerning disclosure this week was the discovery by Wordfence that the plugin Captcha (300K installs) contained backdoor code. In looking through the repository, it appears the code was introduced in v4.3.6 of the plugin. Version 4.4.5 was released earlier this week with the code removed. The committer was Otto so I’ll assume the WordPress plugin team removed the offending code and pushed the update. Please make sure you have updated to 4.4.5 of the plugin and change the password on your admin accounts. Also check for any additional user accounts that you do not recognize.
This disclosure highlights (yet again), that the WordPress community really needs to think about the current state of how plugins are handled, and how we’re going to address plugin security as we head into 2018. There are over 50,000 plugins in the WordPress repository and only a handful of people on the plugin review team. Even if they had 100 people on the review team, there’s no way they could feasibly review all code submissions in a timely manner. I know many in the community would be unhappy adopting a Drupal-style review process, as that process takes much, much longer than what WordPress developers are used to. However, this is the third (maybe fourth?) time this year we’ve seen a popular plugin shift to a new developer who introduces code for malicious intent. I’m hoping that the upcoming Tide project will help in some way, but automated scans rarely are able to uncover all issues. As a community, we need to drastically change the way we look at, and handle plugins. When a third of the entire web relies on you, a nonchalant attitude toward security is no longer acceptable.
I’ll be out next week for the holiday break, so there will be no report next Friday. I’ll release a two week report on January 5, 2018. I hope everyone has a fantastic holiday season.