WordPress Plugin Update Creates Security Nightmare

A recent article from the official WordPress blog WP Tavern, points out a major security issue for a plugin that is being used by thousands of WordPress sites.  As many of you know, there are over 43,000 plugins that are available for download.  Typically downloading and installing plugins directly from the WordPress.org directory is the safest place.  However, an update to Custom Content Type Manager plugin created a bit of chaos.

WordPress Security Nightmare


Basically the initial plugin release was evaluated to be a safe download.  The problem is plugin updates are not under the same scrutiny as the original, which I’m sure that will change soon.  The plugin maintainer released a update that injected an auto update into the plugin and in turn allowed the WordPress site to be hacked.

This type of thing could happen more often than you realize.  As a member of a company that maintains and develops WordPress sites, I can not emphasize enough the importance of site backups and other security measures that minimize security flaws and downtime.  This doesn’t mean I don’t trust the WordPress directory.  It means that evaluating the plugin code is critical for our clients.

If you’re interested in reading more and a list of mitigation steps, I suggest you read the post.  

Update March 7: The WordPress Directory team investigated and mitigated this issue by disconnecting thewooranker account from all plugins, reverting malicious changes in the CCTM plugin, and changing the version to WordPress should automatically update to this new clean version.