Over on Weblog Tools Collection, Jeffro recently posted about Dean’s Permalink Migration Plugin which has a bug that can allow an attacker to force a user to perform an unsolicited action to allow the attacker to gain valid credentials, or basically, have access to your blog.
While someone stepped up to the plate and released a new, fixed version after the original author couldn’t be contacted, it still brings up the issue of continued WordPress plugin security.
As WordPress moves closer to the new 2.5 release, due out this spring, will plugin authors that develop the plugins we have come to depend on continue to support and develop their work s that the community can continue to benefit, or will new plugin authors have to step in to fill that role?
Who is responsible for the security of the plugins created? When will the WordPress community demand a group of standards to help improve the security of both WordPress plugins and themes?
I hope this issue is dealt with long before the next major version of WordPress. And while I hate to give Automattic more power and control over the WordPress open source project, I do think that they are the best suited to step up and hire someone to organize and check over WordPress plugins submitted to the plugin directory on WordPress.org.
I want to make this clear though, I don’t think the person from Automattic should become responsible for security issues related to plugins, but another set of eyes, focused on finding security issues, could help save many blogs from issues down the road.
Originally posted on January 28, 2008 @ 3:50 pm