Why was Import Users From CSV With Meta a few days "closed" in the WordPress plugin repository?


Three Saturdays I received an email from the WordPress Plugins team, they had removed Import Users From CSV With Meta from the plugin repository, due to a security issue. The truth is that in addition to the first concern, I was somewhat confused because they referred to a problem that was not that plugin but another. Specifically they talked about this article about a security bug in WooCommerce Checkout Manager. I understood that the link would be a mistake and I started looking at that blog dedicated to WordPress security (in WordPress plugins more specifically) called Plugin Vulnerabilities. And indeed, there was a previous link where there was a security error (already resolved) of this plugin.

How it all started?

A few days before, a user of the plugin had found the possibility of executing JavaScript code from the CSV. That is, someone who used the plugin could use a CSV specifically designed to attack, so that JS code would be executed after import. The truth is that the danger of this gap was minimal because this plugin is only used by administrators with their own CSV, but still, I quickly covered up the problem that could lead to the XSS attack.

When committing, I indicated that I had resolved a security issue.

Write a post about another security error without letting us know

Here is what I consider most serious. If you find a security issue, the first thing is notify developers to fix it, and then post. It seems that in Plugin Vulnerabilities they don't take that into account, they excuse themselves by saying something like that in WordPress.org they don't let them write because they report vulnerabilities in the forums (logical). They should look for a contact form in the plugin (in this case it is very simple too).

The article comes out, someone responsible for WordPress.org plugins reads it and directly closes the plugin.

How to get them to make the plugin available again?

Basically it is necessary to do two things:

  1. The most urgent is to cover the security problem that people have found "outside"
  2. The second is to cover any other "hole" that could lead to a security hole

If you send plugins to the repository, you will know that in the initial review they are truly thorough reviewing a number of things, however, once the plugin is authorized that review disappears, and at this point they ask you to review everything again. I find it curious, because when I uploaded this plugin years ago, the reviews were very lax (the last ones I have uploaded, it is true that they have asked me to shield).

So nothing, after a few days plugging holes and sending emails and receiving answers, again the plugin was available again and everyone happy again.

Concluding

So well, the summary of all this is as follows:

  1. As you could have imagined, now the plugin is much safer than before
  2. It is true that unlike other plugins that have created real security problems (that they tell the SMTP of wpecommerce) our failures were minor and complicated to exploit
  3. The security measures that force you to register a plugin, then do not revise them, so that there may be plugins with real holes in the repository if no one has given the alarm
  4. Whenever you develop a plugins you must have in mind to validate any input or output you have
  5. Needless to say, any ajax or form must be backed by a nonce
  6. And if you deal with files as is the case: use the standard functions to handle them (which do many validations) and take care of the directory trasversal attack

If something similar happened to you or you need help to make your plugins safer, tell us. Unlike other plugins, this one of importing users is not profitable by itself, but it is a small large free software project that is on its way to the million downloads and with its 30,000 active installations (path of 40,000); because every minute I was out of the repository hurt us.1 star


Loading…

We store the IPs from which the valuations are sent to avoid fraud

Leave a comment

Your email address will not be published. Required fields are marked *