WordLift CVE and the WordPress Plugin Directory Review
Learn more about WordLift security and how we got back into the WordPress plugin directory by releasing a patch version and doing a full code review.
TL;DR
WordLift 3.37 was temporary removed from the WordPress plugin directory, between the 22nd of August until the 7th of September 2022, in response to a security report. The critical level was considered low, however we immediately released a patch version and we followed up with a full code review to tighten the plugin together with the support and feedback of WordPress volunteers. On the 7th of September WordLift was reopened with version 3.38.0.
Introduction
The WordLift Plugin for WordPress is our most developed and used client of the WordLift platform.
The plugin development started more than 10 years ago as an experiment into bringing the power of the Semantic Web into WordPress and republish the data as Linked Data in order to boost the website SEO.
Since then we pushed more than 250 releases to the WordPress Plugin Directory, adding new features, supporting new WordPress versions and features and we grew to hundreds of customers using it to get more visibility on the SERP.
What happened
On the 22nd of August we received a message from the WordPress Plugin Directory volunteers about a security report related to the WordLift Plugin 3.37, which would allow a WordPress administrator to insert html code in a WordLift configuration field.
The original description of the issue:
“The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.”
Further details about the report are available here (CVE) and here (WPScan).
Because only an administrator could exploit it, the critical level of the security issue was considered low and we immediately pushed a patched version of the plugin to the WordPress Plugin Directory.
However the report triggered a process where the WordLift plugin would go into a full review by the WordPress team. During this process the WordLift plugin would be temporary taken offline.
The full review was deemed necessary because the initial report meant that WordLift is getting more traction, a larger customer base and may be considered a target.
Other plugins like Yoast and RankMath have already 11 and 2 security reports each (last update, Sep 8, 2022).
Our response
Soon after releasing a patched version, we worked with the WordPress team of volunteers to do a full review of the plugin and tighten its security between the 22nd of August and 7th of September 2022.
We decided to take Jetpack as a reference for the review of WordLift plugin. Jetpack is a flagship plugin by Automattic and one of the most popular and used plugins. And like every WordPress plugin published in the directory it’s open source.
We looked at how Jetpack validates its code (or “lint” in technical jargon) and found a set of helpful rules that would scan the whole WordLift plugin to report from the critical issues to the formatting issues.
So we ran the scan on WordLift and found quite some space for improvement (E means error):
It took us about 2 weeks and 6 intermediate reviews by the WordPress volunteers team and 941 files changed, 39228 insertions, 35844 deletions to get down to this (dot means no errors):
After the final review, on the 7th of September, the plugin was reopened to the public.
Lessons learned
A lot has changed since we first published the WordLift plugin to the WordPress Plugin Directory 10 years ago.
We were already in the process of restructuring our team to provide a better care to our WordLift plugin and this event gave us more stamina to move quickly forward with the following actions:
- Hire new team members to our product team to work on WordLift’s plugin, bring new features and do cross code reviews (apply here).
- Adopt the best coding practices by integrating the code linting at every single code commit and enforcing these rules, which means use phpcs and apply the Jetpack rules at every single commit.
- Participate and contribute to other open source project, like the Pods Framework to integrate the best codes and share knowledge.
FAQ
When was the WordLift plugin developed?
WordLift development started in 2010.
Is WordLift plugin being removed from the WordPress Plugin Directory?
WordLift plugin has been temporary delisted between the 22nd of August and the 7th of September 2022 in order to perform and complete review and ensure its conformance with the latest standards. The plugin has been relisted on the 7th of September.
Is WordLift safe?
WordLift is safe. In more than 10 years only one security issue with a low security risk has been found, compared with 11 security issues in Yoast and 2 security issues in RankMath. Version 3.38.0 released the 7th of September 2022 contains an update conforming WordLift to the highest standard.
What is the WordPress Plugin Directory?
The WordPress Plugin Directory is a comprehensive list of WordPress plugins. The WordPress Plugin Directory is maintained by a team volunteers.
What is a CVE?
CVE, Common Vulnerabilities and Exposures, is a list created in 1999 which gathers all the known vulnerabilities about software. Later it evolved into a program “to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities”.
What is WPScan?
WPScan is a security scanner for WordPress websites.
What is Jetpack?
Jetpack is a flagship plugin created by Automattic providing a comprehensive set of features to WordPress.
Who is Automattic?
Automattic is the leading company behind WordPress and owner of wordpress.com.
What does “lint” mean?
Lint means to perform a code analysis to detect errors, bugs, or formatting errors.