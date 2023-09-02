Patchstack, a cybersecurity company, has reported 404 plugins to WordPress’ Plugin Review Team after discovering undisclosed and unpatched vulnerabilities in plugins hosted on WordPress.org. This move comes as many plugin authors have failed to include contact information in their extensions or have been unresponsive to communication attempts, leading to what Patchstack describes as a “zombie plugins pandemic” affecting over 1.6 million sites.

Normally, reporting plugins to WordPress.org is a last resort for Patchstack after exhausting all other means of contacting the vendors. However, with the lack of responsiveness from these developers, Patchstack felt it necessary to take action. The company sent a full list of the 404 vulnerabilities to the plugins review team for processing.

To address these issues, the WordPress.org Plugins Team has closed over 70% of the reported plugins. In an effort to handle this influx of vulnerabilities, the team added six new sponsored volunteers and opened applications for more team members. However, the backlog of plugins waiting to be reviewed has continued to grow, reaching over 1,119 plugins with a 71-day wait time.

Patchstack has provided some statistics associated with the reported vulnerabilities, including the number of affected plugins, the number of closed and patched plugins, and the number of active installs affected. The company urges developers to include their contact details in their plugins’ readme.txt and/or SECURITY.md files to streamline security issue management.

In addition, Patchstack has created the Patchstack mVDP (managed vulnerability disclosure program) project, which allows developers to join for free. Through this program, Patchstack verifies the reports, rewards the researchers, and passes the information to the vendors for resolution.

Furthermore, Patchstack is advocating for a dashboard alert system that notifies users when a plugin or theme is removed due to security reasons. Currently, WordPress does not provide this information to users. Patchstack plans to submit more reports in the future, potentially resulting in the closure of additional vulnerable extensions.

In conclusion, the accumulation of undisclosed and unpatched vulnerabilities in WordPress plugins poses a significant risk to the WordPress community. Patchstack’s proactive measures to report these vulnerabilities and advocate for improved security practices aim to protect users and enhance the overall security of the WordPress ecosystem.

