Support » Plugin: WangGuard » Results of Security Review

  • This plugin was recently selected by our customers to have a security review done by us. While there were no issues found that were likely to lead to the average website being hacked, we did find several security issues with it. We notified the developer of our findings, but we haven’t heard back from them. The most serious of the issues was resolved in version 1.7.3 after we notified the Plugin Directory. The other issues remain unfixed in the plugin at this time.

Viewing 10 replies - 1 through 10 (of 10 total)
  • Nice work @pluginvulnerabilities, you guys did a great review of some of my Plugins which was badly overdue. The author is reluctant to respond here, likely due to other commitments. Consider sending the Plugin Directory a patch of the required fixes in the hopes they push a release.

    Plugin Vulnerabilities

    (@pluginvulnerabilities)

    That doesn’t seem like the best idea, as someone that isn’t familiar with a plugin could introduce problems by making security changes to it without understanding how the changes might impact other parts of the plugin. It is our belief that it is best to work with the developer to fix security issues.

    But with that being said, we are not aware of the Plugin Directory applying third-party patches in that fashion, so creating those without knowing if they would actually be utilized doesn’t seem to like a good use of our time. Are you aware of any statement from them that they are actually doing that?

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    Lead Plugin Wrangler

    I’m not sure why you decided that we’re not to be emailed anymore…

    Do we patch plugins for developers? Actually yes, in extreme situations. We don’t WANT to, precisely for the reasons you mentioned (making changes to other people’s code is high risk), but there have been moments when we had to.

    I’ll follow back up with WangGuard directly about this. Thank you for reminding us that not everything had been fixed.

    Plugin Vulnerabilities

    (@pluginvulnerabilities)

    The only mention of not emailing you was in relation to not sending patches and we have never sent those before, so nothing has changed on our end or was even suggested.

    @ipstenu @pluginvulnerabilities

    The Developer seems to have abandoned this plugin. It was great but started to not work all that well. The first issue arose when you couldn’t complete the registration. Eventually, someone figured out that there was an error in the activation link that is sent to you and you have to replace a %-something with a @ to fix your email address.

    Now, afterwards… people that have been repeatedly reported as sploggers are still getting through. Some person that names all of his logins with something that has “hek” in it keeps getting through. It always comes from an email out of Russia. So i blocked the Top Level *.ru because we have no members joining from Russia and even if we did, almost everyone uses Gmail now days…

    On top of this, it won’t let me block any other domains other than the few that i have. Everytime i try to save the list it just doesn’t save.

    Numerous emails and comments in the forums have never produced any response.

    • This reply was modified 6 months, 1 week ago by  taynak.

    Hi,

    We’ll fix these as soon as posible. I’ll help Jose in the plugin development.

    We apologize for the inconveniences.

    Thanks!

    @jartes, We?

    Yep, I’ll be helping @jconti with the plugin development 🙂

    @jartes. Cool.

    Make sure @jconti communicates clearly about how users can support the development, when you guys feel comfortable with this.

    I’ll wait a bit until I’ll recommend any financial support to my clients.

    Sure! 🙂

Viewing 10 replies - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.