Ipstenu (Mika Epstein) 6:00 am on May 4, 2015
Tags: repository ( 18 ), security ( 14 )

Reporting Plugin Issues

Note: I’ll be using Hello Dolly as my example ‘bad’ pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party for this post. It’s fine and not (to my knowledge) vulnerable.

There are a few reasons people report plugins but the main two are as follows:

Guideline violations
Security vulnerabilities

If you report a plugin, you can make everyone’s life easier if you do the following:

Verify that it’s still applicable

Before you do anything, check if the exploit is on the latest version of the code or not. If it’s not, we may not do anything about it, depending on how popular the plugin is.

Use a good subject line

“Plugin Vulnerability” is actually not good at all. “Plugin Vulnerability in Hello Dolly – 0 Day” is great.

Send it in plain text

SupportPressSupportPress The ticket management interface for the plugin emails. It has been replaced with Help Scout. is a simple creature. It doesn’t like your fancy fonts and inline images. Attachments are fine, but we cannot read your ‘Replies in-line in red’ so just keep it simple.

Link to the plugin

https://wordpress.org/plugins/hello-dolly/

Yes, it’s that easy. Put the URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org on it’s own line, no punctuation around it, for maximum compatibility. With over 35k plugins, and a lot with similar names, don’t assume, link.

If the plugin is not hosted on WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/, I’m sorry, but there’s nothing we can do, so please don’t bother reporting it to us. We have no power there.

Explain the problem succinctly

Keep it simple.

“Hello Dolly has an XSS vulnerability” or “The Author of Hello Dolly is calling people names in the forums” or “Hello Dolly puts a link back to casino sites in your footer.”

Think of your intro like a tweet. Boil it down to the absolutely basic ‘this is what’s wrong.’

Keep the details clear

If someone’s acting up in the forums, link to the forum threads.

If you know that on line 53, the plugin has a vulnerability (or a link back to that casino site), then you can actually link right to that line: https://plugins.trac.wordpress.org/browser/hello-dolly/tags/1.6/hello.php#L53

We love that. If you don’t have that line, it’s okay. Tell us exactly what you see. “When I activate the plugin using theme X, I see a link to a casino site by my ‘powered by WordPress’ link.” Perfect. Now we know where to look when we test.

Show us how to exploit it

Don’t ask us ‘Can I send you an exploit?’ Just send us all the information. If the exploit’s already up online, like on Secunia, link us to it.

If you know exactly how to exploit it, tell us with a walk through. If the walkthrough involves a lot of weird code, you may want to consider using a PDF.

We’re going to take that information and, often, pass it on directly to the developers.

Tell us if you want them to have your contact info

We default to not passing it on, out of privacy, so “If the developer needs more help, I can be reached at…” is nice. Even “You can give the developer my information so they can credit me…”

We’re probably not going to follow up with you

We love the report, we review them, but we’re not going to loopLoop The Loop is PHP code used by WordPress to display posts. Using The Loop, WordPress processes each post to be displayed on the current page, and formats it according to how it matches specified criteria within The Loop tags. Any HTML or PHP code in the Loop will be processed on each post. https://codex.wordpress.org/The_Loop. you back in and tell you everything that’s going on for one very simple reason. We don’t have the time. If you told us to give the dev your contact info, then we did, but we don’t have any way to promise they will, and we don’t have the time to play middle management.

Emailing us over and over asking for status gets your emails deleted. It’s not personal, it’s seriously a time issue. We’re nothing more than gatekeepers, we are not a security company and we’re not equipped for keeping everyone up to date. We don’t have an administrative assistant to handle that. We work with the developer to fix the issue and we work with the .org team to see if we need to force update the plugin, and that takes a lot of time.

We don’t do bounties

This is a little interesting but basically we’re not going to pay you. A lot of people ask for ‘credit’ so they can ‘earn’ a bounty, and that’s cool, but we’re not going to report that for you. Generally if you say you want a bounty, we give your info to the plugin dev, though, so they do know you’re interested.

How do you report?

You can report plugins by emailing plugins@wordpress.org

That’s it 🙂 Thanks!

#repository, #security

J.D. Grimes 1:09 pm on May 4, 2015

Thank you for laying this out for everyone, it’s nice to have things clear. Now if we could just get this into the hands of people who are/should be reporting pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party issues… 🙂
- Chad Butler 3:55 pm on May 4, 2015
  
  Awesomely descriptive! Thanks, Mika.
  
  I want to second J.D.’s comment – how to get this into the hands of the general public who report these things? I’m guessing they don’t follow Make threads.
  - Ipstenu (Mika Epstein) 4:01 pm on May 4, 2015
    
    Man, if you guys have an idea I’d love to hear it.
    
    The idea of ‘Make a button!’ is not a great one since we’d just get a lot of bad reports and spam :/
    - J.D. Grimes 4:09 pm on May 4, 2015
      
      What about just a link to this article or similar, “How to report vulnerabilities/violations”? Then people would have to read it to figure out how. But I guess some folks would still just scroll down to get the email address and you’d still get bad reports.
      
      I’ve been following https://wpvulndb.com/, and I’ve noticed that some of the researches don’t seem to know how to report the vulnerabilities to the plugins team. Maybe the folks at WPScan could help out with educating security researchers by including a note and a link to this article somewhere.
M Asif Rahman 4:23 pm on May 4, 2015

We already have button to report broken plugins. Maybe add another like “Report a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party”. the button will lead to this post. And instead of emailing, maybe lets make a mail to form, with captcha.
Nile Flores 12:27 am on May 5, 2015

I’ll refer to this article, Mika. Thanks for putting this up. My co-mod shared it in All About WordPress on FB. 🙂
ethicalhack3r 9:05 pm on May 13, 2015

What incentive is there for any one who volunteers their time to email you about a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party vulnerability to do so again if you’re not even going to acknowledge their email?

You need to gamify this process, give them an incentive to do it again. After all, they are taking their own time to email you about the issue which helps protect *your* users.

I’m sorry but ‘we do not have the time’ is not an excuse. If there is not enough time then not enough resources are being used for this.
- J.D. Grimes 9:15 pm on May 13, 2015
  
  Note that the email will be acknowledged in my experience. While the heading says “We’re probably not going to follow up with you”, it clarifies that to actually mean “we’re not going to loopLoop The Loop is PHP code used by WordPress to display posts. Using The Loop, WordPress processes each post to be displayed on the current page, and formats it according to how it matches specified criteria within The Loop tags. Any HTML or PHP code in the Loop will be processed on each post. https://codex.wordpress.org/The_Loop. you back in and tell you everything that’s going on.” However, the response is usually from a can (but not automated).
  - ethicalhack3r 9:22 pm on May 13, 2015
    
    Maybe I miss interpreted it. I can confirm that, looking back through my emails, I have only ever not received a reply once.
    - J.D. Grimes 9:32 pm on May 13, 2015
      
      But of course, it isn’t acknowledged in the sense of giving any kind of recognition to reporters, like rep points or a hall of fame mention. Maybe that was more the gist of what you were trying to get across?
      - ethicalhack3r 9:43 pm on May 13, 2015
        
        Yea, that was part of what I was trying to get across. Even just building up a ‘relationship’ with the reporters by following up and saying ‘hey, thanks, we really appreciate the effort’.
        
        I think a another commenter touched on a submission form type idea. Most people who contact wordpress won’t have read this post. A submission form with all the necessary fields and explaining what wordpress want. I think this would increase the quality of submissions and thus waste less time.
        
        Full disclosure: I work on wpvulndb.com
        
        I think a wordpress supported version of what we are doing would improve pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party/theme security. Shine a light on vulnerabilities and credit researchers/reporters. I would be more than happy to work with WordPress in any way we can if they wanted.
    - Ipstenu (Mika Epstein) 3:07 pm on May 14, 2015
      
      I can promise you we do reply. Always. Even if just to say “Thank you!”
      
      Normally people get a form email reply, but it’s something a human had to manually do.
- Ipstenu (Mika Epstein) 3:09 pm on May 14, 2015
  
  We ALWAYS reply to the email. Always. Even yours. I see it in our out boxes. Maybe you need to check you spam filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output. and make sure pluginsATwordpress.org is on the whitelist? Gmail has been particularly daft about it…
  
  Nope, not gamifying.
  
  Incentive? What’s my incentive for doing any of this? I’m not compensated by .org 🙂 I do it because it’s the right thing to do for my community. Do it or don’t do it, we can’t make you, but we can suggest how it would best help US if you choose to. And we do greatly appreciate those who do.
Cx Rana 4:14 pm on August 13, 2015

currently i have 5/6 pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party hosted on wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/
but i didn’t got plugin developer badge in my profile…. why and how can i fixed it ?
- Ipstenu (Mika Epstein) 11:23 pm on August 13, 2015
  
  It’s a manual thing :/
  - Cx Rana 11:38 am on August 22, 2015
    
    so i need to do something ??
    - Matthew 4:29 pm on August 22, 2015
      
      It doesn’t show that you have any plugins in your profile. You need to add your original name into your readme.txt authors in order to get the plugins to show in your profile and you to get the pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party badge. Add ahrana to your readme.txt in place or Cx Rana.
  - Samuel Wood (Otto) 1:41 pm on November 3, 2015
    
    It is not a manual thing. Your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party readme.txt files have to have the correct information in them.
    
    Example:
    https://wordpress.org/plugins/js-contact-form/
    
    Your readme.txt file says “Contributors: Cx Rana” in it. That is not your username. Your username here is “ahrana”.
    
    https://plugins.svn.wordpress.org/js-contact-form/trunk/readme.txt
    
    If you correct the readme files to have the correct information, then not only will you get the badge, but your plugins will show up on your profile page, and the Authors list on your plugin page will show your forum display-name as well as your proper gravatarGravatar Is an acronym for Globally Recognized Avatar. It is the avatar system managed by WordPress.com, and used within the WordPress software. https://gravatar.com/. image.
Celestial Petals 7:59 pm on July 29, 2017

This pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party:
‘Vantage Point Friendly Fraud Protection for WooCommerce
By Vantage Point’
Appears abandoned & may be malicious. When you click it from dashboard it loads a parking/domain/page – in dashboard! After leaving a comment in it’s support last night, I had maliscious php in my files. I do believe this is now a ‘BAD’ / ‘ROTTEN’ plugin-foster-owner?

Comments are closed.

Communication

Share this: