As I always do, I reviewed this week’s WordPress Vulnerability Report (WPVR) by iThemes Security Pro. This one was a lot larger than normal with 329 total vulnerabilities. It turns out that one of the most popular tools, used by hundreds of plugin and theme developers, had some moderately serious security issues. (Reference: Freemius WordPress SDK 2.5.9 Security Disclosure).
Freemius WordPress SDK is a framework that helps plugin and theme vendors to offer a free version of their product and also offer an upgraded “Premium” version, typically the premium version adds new or improved features to the Free version making it worth the cost – if you really need the features or improvements.
Freemius SDK is described by the vendor as “a monetization, analytics and marketing automation platform for digital products developers”. Essentially, it helps developers to track sales and licenses while helping them to earn a living doing what they do best.
As will happen with any software product from time to time, Freemius SDK had some previously unknown security issues come to their attention. They quickly and effectively corrected the issues in their software, then contacted all of their customers telling them that the new updated software was available and that it should be used immediately to update their projects (in this case WordPress plugins and themes).
This was all done weeks ago, and in theory, even a small one-person developer would have had time to update their products and submit their own update to the WordPress repository before the “public disclosure” phase was to begin.
Once the public disclosure phase happens,
- Software that has been corrected and updated (patched) will continue to be available in the WordPress repository for downloading and installing.
Reports like the WPVR and the product’s own changelog will show that the plugin had a vulnerability, but, that an update corrects it. Users will be strongly encouraged to update immediately.
- Software that hasn’t yet had its code patched will no longer be available for download from the WordPress repository and will have appropriate warning language added to the plugin’s description page.
Sometimes these plugins have been abandoned by their original developer and will eventually be removed from the repository. Occasionally, the developers were simply unable to write the needed updates in time for the public disclosure (vacations, illness, lost notification emails, etcetera…). Either way, the most common recommendation for an unpatched product is to disable and remove the software from your website and look for another to replace it.
Luckily, only 1 plugin on the list of 102 “unpatched” software products is installed on only 1 of the dozens of client websites that Market Street manages.
Interestingly, it looks like the developer has created an update to correct the issue and they are waiting on a final review from the WordPress repository to approve the update.
The software in question isn’t “mission critical” and can be safely removed from the client website without harming the functionality of the website. I will disable the software and remove it from the website ASAP.
While I wait for the software’s update to get approved, I will also be evaluating alternatives. I don’t like it when a product’s developer fails to make a security update in a timely fashion. If I find a suitable replacement I will probably replace the software.
All of this will happen, unknown by most of our clients, before our “doors open” for business at 9 a.m.
By 8:53 a.m. I had finished my alternative evaluations, tested the client’s backups, created a staging environment, installed a replacement with a verifiably more responsive support commitment to their product, documented my changes and configuration choices, tested it thoroughly, reviewed their documentation further, and then (after making another full backup) installed, configured and tested the same software on the client’s live site.
I know, this whole article probably bored you to tears, but, that’s what I’m here for. I do what I do best, so that you can do what you do best and not worry about your website.