Freemius, a monetization, analytics, and marketing library for WordPress plugin and theme developers, patched an authenticated option update vulnerability in its wordpress-sdk four days ago. The library is included with many popular plugins, such as NextGEN Gallery (1,000,000+ installs), 404 – 301 (100,000+ installs), WP Security Audit Log (80,000+ installs), and FooGallery (100,000 installs+). Freemius CEO Vova Feldman said he would classify it as “a severe vulnerability.”

Feldman had planned to wait to publish anything about the vulnerability until more plugin authors had updated, but the security team at PluginVulnerabilities.com published a detailed explanation of the vulnerability within 24 hours of plugin developers getting notified about the patch:

The vulnerability, an authenticated option update vulnerability, would allow anyone with access to a WordPress account to take complete control of the website. That is a type of vulnerability that hackers will try to exploit if there is significant usage of a plugin. Anyone that allows untrusted individuals access to WordPress accounts and is using a plugin with this library is at a pretty significant risk if they haven’t updated the plugin to a version that fixes this or deactivated the plugin.

Plugin developers using the library have already been notified by Freemius, the team at pluginvulnerabilities.com, and will soon be contacted by the WordPress.org plugin team. A full list of the plugins impacted by this vulnerability is not available yet, but Freemius has a page on its website showcasing 96 WordPress.org plugins and nine themes that use it.

“More than 60% of the developers who are using our SDK have already upgraded to the patched version,” Feldman said. As of today, Feldman said he has not received any reports of the vulnerability having been exploited.

Feldman published a summary of his company’s actions on the security issue and described how Freemius is working to mitigate exposure and try to give users more time to update. The company requested two things from developers using its wordpress-sdk library:

  • If this security upgrade will be included in your changelog, please only use generic wording like “Security fix”.
  • Even after updating and releasing the patched versions, please do not disclose this issue during the next 30 days, allowing enough time for all our partners and their users to update.

It is in a company’s best interest to keep the details of a product’s security issue under wraps for as long as possible, but that may leave some users exposed when the vulnerability has already been published on the web. Any user who sees an update for a plugin using Freemius is advised to act on that update immediately, regardless of whatever generic note appears in the changelog.

As a company providing a security service, PluginVulnerabilities.com had different priorities in publishing details about the vulnerability, according to a representative who identified himself as John:

In this case where we are not the discoverers. The biggest issue is that vulnerability looks to have already been being exploited when we came across it, so hiding the situation from the public seems highly irresponsible. Our customers pay us to warn them about vulnerabilities in their plugin, so we would need to warn them right away once we became aware of this. If we only warned our customers that obviously raises some serious questions since others in WordPress community would be left in the dark.

In cases like this, where developers are including a third-party library in their plugins, it can take longer for users to receive an update that fixes the vulnerability, since the need for a patch has to be communicated to multiple parties. The situation is similar to the recent vulnerability that Bootstrap patched two weeks ago. Bootstrap announced the vulnerability in the same week it was reported and fixed, instead of trying to delay disclosure, even though thousands of products across the web use the Bootstrap framework.

WordPress.org doesn’t currently have a mechanism to flag certain plugin updates as security updates, but if a security update is severe enough, the plugin team can push updates out faster with cooperation from plugin authors. That route has not yet been pursued in this case, but we will continue monitoring the situation. In the meantime, if you are using a plugin that includes Freemius and the author has not updated, you may want to consider turning the plugin off temporarily until a patch is available.