Looking for your (intentionally) wrong plugins

tl;dr: Do you have demo plugins that are dangerous on purpose? We want to see them!

One of the behind-the-scenes steps going on right now is figuring out HOW to onboard and make sure people are good at looking through plugins, finding the security/guideline issues, and can explain what they are and why they’re bad. While most of the explanation we have covered in pre-defined replies, you should know why something is wrong 🙂

In order to do this, we need some intentionally busted plugins so people can get experience in looking for ‘wrong’ in a safe situation.

By ‘wrong’ I mean…

  • Plugins that don’t sanitize/escape
  • Shortcodes not checking for validity/security
  • SQL prepare() issues
  • Using script tags instead of wp_enqueue()
  • Using curl/file_remote_get instead of the HTTPHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways.
  • Trademarks (Starting your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party name with “Microsoft” for example)

This is an incomplete list. I doubt anyone can make a plugin with 100% of all the things we look for since that changes nearly every day as people come up with new and inventive ways to be dangerous. Of course if you can, I’d love to see that too!

While we certainly can use some submitted/closed plugins for this, it would be nice to have a set of “These are some busted plugins to practice on”

I know some of you are clever folks and have things like that for fun, and right now, we want to see them! Email them (either zip or link to your repo) to plugins@wordpress.org with the subject “Demo Plugin for Reviewers” (we make heavy use of email filtering, so that subject is important!).