Plugin Vulnerabilities
@pluginvulns.bsky.social
Provider of service to protect websites from being exploited due to vulnerable WordPress plugins. https://www.pluginvulnerabilities.com/
Plugin Vulnerabilities Customers Helped Make WordPress Plugins More Secure, Week of June 6
Plugin Vulnerabilities Customers Helped Make WordPress Plugins More Secure, Week of June 6
www.pluginvulnerabilities.com
June 6, 2025 at 10:01 PM
Plugin Vulnerabilities Customers Helped Make WordPress Plugins More Secure, Week of June 6
WordPress Firewall Plugin Claimed to Protect Against "Any Threat" Doesn't Stop Even One Simulated Attack From Firewall Testing Tool
WordPress Firewall Plugin Claimed to Protect Against “Any Threat” Doesn’t Stop Even One Simulated Attack From Firewall Testing Tool
www.pluginvulnerabilities.com
June 3, 2025 at 10:30 PM
WordPress Firewall Plugin Claimed to Protect Against "Any Threat" Doesn't Stop Even One Simulated Attack From Firewall Testing Tool
Patchstack Now Withholding Misappropriated Information Needed to Secure Plugins in WordPress Plugin Directory From WordPress
Patchstack Now Withholding Misappropriated Information Needed to Secure Plugins in WordPress Plugin Directory From WordPress
www.pluginvulnerabilities.com
May 30, 2025 at 10:30 PM
Patchstack Now Withholding Misappropriated Information Needed to Secure Plugins in WordPress Plugin Directory From WordPress
Plugin Vulnerabilities Customers Helped Make WordPress Plugins More Secure, Week of May 30
Plugin Vulnerabilities Customers Helped Make WordPress Plugins More Secure, Week of May 30
www.pluginvulnerabilities.com
May 30, 2025 at 10:01 PM
Plugin Vulnerabilities Customers Helped Make WordPress Plugins More Secure, Week of May 30
The WordPress Meta team holding up the community once again.
May 30, 2025 at 8:28 PM
The WordPress Meta team holding up the community once again.
With Automattic announcing a return to contributing to WordPress, it's worth noting that there hasn't been a change with the cited reasons they gave for reducing their contributions in January.
WP Engine's lawsuit is still on and they haven't boosted their contributions.
WP Engine's lawsuit is still on and they haven't boosted their contributions.
Aligning Automattic’s Sponsored Contributions to WordPress
Automattic has always been deeply committed to the success of WordPress, dedicating significant resources and talent to its development for almost two decades. However, we’ve observed an imbalance …
automattic.com
May 30, 2025 at 8:25 PM
With Automattic announcing a return to contributing to WordPress, it's worth noting that there hasn't been a change with the cited reasons they gave for reducing their contributions in January.
WP Engine's lawsuit is still on and they haven't boosted their contributions.
WP Engine's lawsuit is still on and they haven't boosted their contributions.
WP Engine Study Finds That Security Is Somehow Considered One of WordPress' Benefits and Also Disadvantages
WP Engine Study Finds That Security Is Somehow Considered One of WordPress’ Benefits and Also Disadvantages
www.pluginvulnerabilities.com
May 28, 2025 at 10:00 PM
WP Engine Study Finds That Security Is Somehow Considered One of WordPress' Benefits and Also Disadvantages
Patchstack tries to get people to report plugin vulnerabilities to them instead of developers or WordPress. Now they are refusing to provide the information to WordPress.
Security vulnerability
Security vulnerability Resolved Artan (@artankrasniqi1988) 1 day, 9 hours ago Hi, wordfence reported a high level vulnerability: Had to uninstall the plugin for now. Hope a fix comes so I can react…
wordpress.org
May 27, 2025 at 9:33 PM
Patchstack tries to get people to report plugin vulnerabilities to them instead of developers or WordPress. Now they are refusing to provide the information to WordPress.
Would anyone guess that this changelog entry for a WordPress plugin with 2+ million installs was referring to fixing a vulnerability?:
"Improved context-dependent escaping in dynamic content tags."
"Improved context-dependent escaping in dynamic content tags."
May 27, 2025 at 8:48 PM
Would anyone guess that this changelog entry for a WordPress plugin with 2+ million installs was referring to fixing a vulnerability?:
"Improved context-dependent escaping in dynamic content tags."
"Improved context-dependent escaping in dynamic content tags."
"we always take security seriously" - WordPress plugin developer who still hasn't fixed an exploitable vulnerability two months after apparently being notified of it
Security vulnerability
Security vulnerability Resolved Artan (@artankrasniqi1988) 1 day, 7 hours ago Hi, wordfence reported a high level vulnerability: Had to uninstall the plugin for now. Hope a fix comes so I can react…
wordpress.org
May 27, 2025 at 7:00 PM
"we always take security seriously" - WordPress plugin developer who still hasn't fixed an exploitable vulnerability two months after apparently being notified of it
A WordPress plugin with 100,000 installs has an unfixed vulnerability being targeted by a hacker and Patchstack's response is to suggest you pay them $5 a month for a firewall rule they call a "patch".
WordPress could release a real patch for free. We would provide them with the patch for free.
WordPress could release a real patch for free. We would provide them with the patch for free.
Unpatched Critical Vulnerability in TI WooCommerce Wishlist Plugin - Patchstack
🚨 A critical unpatched vulnerability in the TI WooCommerce Wishlist plugin allows unauthenticated file uploads and potential RCE. Over 100K sites affected. As usual, Patchstack users are protected. 🛡️
patchstack.com
May 27, 2025 at 5:24 PM
A WordPress plugin with 100,000 installs has an unfixed vulnerability being targeted by a hacker and Patchstack's response is to suggest you pay them $5 a month for a firewall rule they call a "patch".
WordPress could release a real patch for free. We would provide them with the patch for free.
WordPress could release a real patch for free. We would provide them with the patch for free.
WordPress Plugin Submission Review Seems to Have Failed Badly With ConvertPro
WordPress Plugin Submission Review Seems to Have Failed Badly With ConvertPro
www.pluginvulnerabilities.com
May 23, 2025 at 10:31 PM
WordPress Plugin Submission Review Seems to Have Failed Badly With ConvertPro
Plugin Vulnerabilities Customers Helped Make WordPress Plugins More Secure, Week of May 23
Plugin Vulnerabilities Customers Helped Make WordPress Plugins More Secure, Week of May 23
www.pluginvulnerabilities.com
May 23, 2025 at 10:00 PM
Plugin Vulnerabilities Customers Helped Make WordPress Plugins More Secure, Week of May 23
Long Overdue Security Review of WordPress Would Cost Only 0.25% of WP Engine's Estimate of Cost of One WordPress Website
Long Overdue Security Review of WordPress Would Cost Only 0.25% of WP Engine’s Estimate of Cost of One WordPress Website
www.pluginvulnerabilities.com
May 23, 2025 at 6:00 PM
Long Overdue Security Review of WordPress Would Cost Only 0.25% of WP Engine's Estimate of Cost of One WordPress Website
Mary Hubbard:
"Rotating roles can help us avoid centralizing too much authority in any one place, and it guards against the single points of failure that open source and communities should always aim to minimize."
Is rotating roles going to apply to her boss Matt Mullenweg?
"Rotating roles can help us avoid centralizing too much authority in any one place, and it guards against the single points of failure that open source and communities should always aim to minimize."
Is rotating roles going to apply to her boss Matt Mullenweg?
May 22, 2025 at 10:35 PM
Mary Hubbard:
"Rotating roles can help us avoid centralizing too much authority in any one place, and it guards against the single points of failure that open source and communities should always aim to minimize."
Is rotating roles going to apply to her boss Matt Mullenweg?
"Rotating roles can help us avoid centralizing too much authority in any one place, and it guards against the single points of failure that open source and communities should always aim to minimize."
Is rotating roles going to apply to her boss Matt Mullenweg?
WordPress Hasn't Addressed Hacker Targeted Plugin With 100,000+ Installs That Has Unfixed "Critical" Vulnerability
WordPress Hasn’t Addressed Hacker Targeted Plugin With 100,000+ Installs That Has Unfixed “Critical” Vulnerability
www.pluginvulnerabilities.com
May 22, 2025 at 8:00 PM
WordPress Hasn't Addressed Hacker Targeted Plugin With 100,000+ Installs That Has Unfixed "Critical" Vulnerability
8 months after a vulnerability was reported to someone, it still hasn't been fixed.
It's unclear what happened here, but the developer claims that the vulnerability was reported to @patchstack.com instead of to them. They say Patchstack made a public claim after 6 months, but didn't notify them.
It's unclear what happened here, but the developer claims that the vulnerability was reported to @patchstack.com instead of to them. They say Patchstack made a public claim after 6 months, but didn't notify them.
Is Brizy, Patchstack, or Both to Blame For Lack of Fix for Vulnerable WordPress Plugin With 80,000+ Installs After 8 Months?
Is Brizy, Patchstack, or Both to Blame For Lack of Fix for Vulnerable WordPress Plugin With 80,000+ Installs After 8 Months?
www.pluginvulnerabilities.com
May 21, 2025 at 10:52 PM
8 months after a vulnerability was reported to someone, it still hasn't been fixed.
It's unclear what happened here, but the developer claims that the vulnerability was reported to @patchstack.com instead of to them. They say Patchstack made a public claim after 6 months, but didn't notify them.
It's unclear what happened here, but the developer claims that the vulnerability was reported to @patchstack.com instead of to them. They say Patchstack made a public claim after 6 months, but didn't notify them.
Is Brizy, Patchstack, or Both to Blame For Lack of Fix for Vulnerable WordPress Plugin With 80,000+ Installs After 8 Months?
Is Brizy, Patchstack, or Both to Blame For Lack of Fix for Vulnerable WordPress Plugin With 80,000+ Installs After 8 Months?
www.pluginvulnerabilities.com
May 21, 2025 at 10:30 PM
Is Brizy, Patchstack, or Both to Blame For Lack of Fix for Vulnerable WordPress Plugin With 80,000+ Installs After 8 Months?
They don't mention how many website are using the new plugins. A quick check of our lagging data shows that almost all of the plugins added to the directory this year have under 100 installs. With only slightly over 2% above that. And roughly 83% having under 10 installs.
The WordPress Ecosystem is Growing: New Plugin Submissions Have Doubled in 2025
The WordPress Ecosystem is Growing: New Plugin Submissions Have Doubled in 2025
This year, the number of plugins submitted has grown by 87% compared to last year 🌱 We have great news from the Plugins team. The submission of new plugins in WordPress has almost doubled this year…
make.wordpress.org
May 21, 2025 at 8:31 PM
They don't mention how many website are using the new plugins. A quick check of our lagging data shows that almost all of the plugins added to the directory this year have under 100 installs. With only slightly over 2% above that. And roughly 83% having under 10 installs.
We have added the FV Gravatar Cache to the roster of WordPress plugins that receive continuous security review from us. That entails us reviewing every update to the plugins for any changes that impact security.
If you want a plugin to get the same level coverage, we have a service for that.
If you want a plugin to get the same level coverage, we have a service for that.
Continuous WordPress Plugin Security Review Service
www.pluginvulnerabilities.com
May 21, 2025 at 8:02 PM
We have added the FV Gravatar Cache to the roster of WordPress plugins that receive continuous security review from us. That entails us reviewing every update to the plugins for any changes that impact security.
If you want a plugin to get the same level coverage, we have a service for that.
If you want a plugin to get the same level coverage, we have a service for that.
The FAQ for the Brizy WordPress plugin tells you to report issues through GitHub and links to a page to do that.
If you try to create an issue, it doesn't work with the vague message "Unable to create issue." returned. 1/2
If you try to create an issue, it doesn't work with the vague message "Unable to create issue." returned. 1/2
Pull requests · ThemeFuse/Brizy
Brizy is the most user-friendly visual page builder in town! No designer or developer skills required. The only tools you'll need to master are clicks and drags. - Pull requests · ThemeFuse/Brizy
github.com
May 21, 2025 at 5:05 PM
The FAQ for the Brizy WordPress plugin tells you to report issues through GitHub and links to a page to do that.
If you try to create an issue, it doesn't work with the vague message "Unable to create issue." returned. 1/2
If you try to create an issue, it doesn't work with the vague message "Unable to create issue." returned. 1/2
Wordfence Missed That Authenticated Persistent XSS Vulnerability in 2+ Million Install MC4WP: Mailchimp for WordPress Wasn't Fixed
Wordfence Missed That Authenticated Persistent XSS Vulnerability in 2+ Million Install MC4WP: Mailchimp for WordPress Wasn’t Fixed
www.pluginvulnerabilities.com
May 19, 2025 at 7:15 PM
Wordfence Missed That Authenticated Persistent XSS Vulnerability in 2+ Million Install MC4WP: Mailchimp for WordPress Wasn't Fixed
Patchstack VDP Partner WPMU DEV Incompletely Fixed Privilege Escalation Vulnerability in Broken Link Checker
Patchstack VDP Partner WPMU DEV Incompletely Fixed Privilege Escalation Vulnerability in Broken Link Checker
www.pluginvulnerabilities.com
May 17, 2025 at 6:13 PM
Patchstack VDP Partner WPMU DEV Incompletely Fixed Privilege Escalation Vulnerability in Broken Link Checker
Plugin Security Scorecard April Results
Plugin Security Scorecard April Results
www.pluginvulnerabilities.com
May 16, 2025 at 1:00 PM
Plugin Security Scorecard April Results
600k WordPress Backup Plugin Claiming to Be "Easiest Way to Protect Your Website" Contains Decade Out of Date Insecure Library
600k WordPress Backup Plugin Claiming to Be “Easiest Way to Protect Your Website” Contains Decade Out of Date Insecure Library
www.pluginvulnerabilities.com
May 15, 2025 at 6:00 PM
600k WordPress Backup Plugin Claiming to Be "Easiest Way to Protect Your Website" Contains Decade Out of Date Insecure Library