Concerning plugin security and FUD

There have recently been reports that a number of the plugins entered in the WeblogToolsCollection competition have security flaws in them.

This was brought to everyones attention via a comment in the competition winners blog entry, and via another site (in Spanish, try google for a translation) containing the same information and recommending that users do not install or use these plugins.

At no point, to my knowledge, were the authors of any of the listed plugins contacted or shown proof (I certainly wasn’t contacted, I don’t know about others). Also, as all of these plugins have been available since July 31st 2007, I think the timing of these comments, quite frankly, stinks of publicity seeking and FUD (Fear, Uncertainty, Doubt).

I pride myself a lot on my plugins, and take security extremely seriously. In most cases the security of the system is implemented from the very outset.

So what to do next.

Anyone can produce a list of plugins along with a list of generic exploits, without actually providing a proof of concept or contacting the author of the plugin and detailing how the plugin is vulnerable (which is the usual approach when exploits are found).

Without knowing what to look for, it makes it hard to know when I’ve found it.

So… I’ve gone through all of the code again and made it more bulletproof. It is available as version 0.2.5 from here and also from the WordPress extend pages.

I will now wait for an email from Alex with the details (I’m guessing it may take some time).

Update: The download linked to above, will list the version number on the WordPress plugin page as 0.2.4, sorry I forgot to change the version number in the plugin in my haste to get the new version out. I will change this on a later download, but please be assured that if you grab the download from either of the two locations linked to above, IT IS the newest version.