Security Vulnerability Fixes Often Left Unmentioned In WordPress Plugin Changelogs

When it comes to security companies, we often see that they seem less interested in actually improving security than getting themselves attention. In some cases the harmful effects of this are quite obvious, like when a security companies falsely implicates a piece of software as being a common connection between a group of hacked websites leading people to believe that software is insecure when it isn’t. A less obvious situation where this attention seeking comes in to play is when a security company warns that you need to update a WordPress plugin since it has a security vulnerability. What could be the problem with that you are probably thinking? The answer is that you need to update all of your plugins in a timely manner, and not try to keep track of what ones might have a security vulnerability and therefore need to be updated immediately. The reason for this is that there is a good chance that you won’t be able to tell if an update fixes security vulnerability, even if you review the changelog for plugin (which in turn is more likely to warn you about security issue than following any security company).

Recently we started working on a new plugin, Plugin Vulnerabilities, that provides information on vulnerabilities that exist and previously existed in the plugins you have installed in WordPress. One of the places we look at when determining what versions of a plugin are susceptible to a vulnerability is the plugin’s changelog. In doing that we have found that the amount of details provided in the changelog when a security issue is fixed varies widely. In many cases the fact that a vulnerability has been fixed is disclosed (sometimes with basic details of the vulnerability include as well), but in plenty of cases there is no mention at all that a security vulnerability has been fixed.

To get a better idea how frequently security vulnerability fixes are left out of the changelog, we went through the vulnerabilities currently listed in our Plugin Vulnerabilities plugin for which the relevant plugin is currently in the wordpress.org Plugin Directory and tallied up whether the vulnerability being fixed was mentioned in the changelog or not. In our sample of 66 plugin updates, we found that in 19.7 percent of them the changelog made no mention of a vulnerability being fixed. The breakdown of the changelog mentions are as follows:

  • 43 updates listed that a vulnerability fix was included
  • 10 updates mentioned that a fix for a potential or possible vulnerability was included (in all cases the vulnerability was in fact exploitable)
  • 13 updates made no mention of a vulnerability being fixed

Jut based on the fact that you have about a 1/5 chance that a security fix isn’t mentioned in changelog, not updating plugins all the time seems like a bad idea, but what is more important is how severe the vulnerabilities fixed that are not mentioned can be. Take for instance version 5.2.91 of Special Text Boxes plugin, which had the following listed as the change made in the release:

The possibility of manipulating custom themes has been removed by request of administration of wordpress.org plugins repository.

Would you have guessed that referred to fixing an arbitrary file upload vulnerability that was being actively exploited before 5.2.91 was released? Probably not.