Active Install Data Story Update: Not a breach but abuse of an endpoint

Categorized under:

, , , ,
Photo of author
Written By Dan Knauss

At the WPwatercooler, JJJ cleared up some of the mystery…

A quick summary of what we learned, starting at the 25:41 mark on the video:

  • There are two very simple endpoints that have provided the obfuscated active install data at wordpress.org since 2017.
  • They’re just PHP files, not endpoints that map to anything else. They access the database to give a JSON result to properly formed queries.
  • Inevitably, people poke at them, test the parameters they accept, etc. Errors coming from bad data fed to an endpoint filled up the error logs about a year ago. There was no data leak. It was fixed. But as a result of that fix, testing the endpoint now returns different headers based on what it’s hit with.
  • It’s possible to derive true/false information from the headers that are returned. In essence, you can derive a correct answer to whether a plugin’s install count is zero/not zero or whether a certain slug exists. It’s not serious, but it’s leaking information that’s not intended to be available this way.

2 thoughts on “Active Install Data Story Update: Not a breach but abuse of an endpoint”

Comments are closed.

our sponsors

A2 Hosting
Omnisend
Kinsta
Progress Planner
Elementor
WP Munich
Atarim
Patchstack
Post Status

The Community for Professionals in the WordPress space

Post Status

About

Jobs

Contact Us

Code of Conduct

Opportunities

Sponsor Post Status

Partner Directory

Digital Agencies

Products

plugins

Hosts

Resources

Podcasts

Higher Ed Agencies

Newsletter Archive

Black Friday Deals

JOIN POST STATUS

[email protected]

Join Today

© 2025 Post Status. All rights reserved

Privacy Policy | Terms of Use