Timely’s All-In-One Event Calendar — which boasts 100,000 active installs — had multiple security issues that caused it to be temporarily removed from the repo by the plugin security team. There were at least four disclosed issues, some of which Timely did not fix in a, well, timely fashion, prompting the team to take more aggressive action.
The team removed Timely from the WordPress plugin repository, and after a couple of days, Timely fixed the remaining security issues that were previously unaddressed. They still have not done any real public disclosure, and it seems they are leaning toward not auto-updating past versions of the plugin.
I understand that versions 2.4.1 and 2.5 include the security fixes. According to the plugin’s stats page, the vast majority of active installs are still on insecure versions, and the Timely team may not request forced updates be applied to old versions. The move is a drastic and irresponsible one, as those older installs should be updated to prevent what are some pretty bad vulnerabilities, including persistent and non-persistent XSS, SQL injection, and remote code execution vulnerabilities.
One of the vulnerabilities, the last to be patched, is an issue that was widely covered in April of 2015, where many plugins weren’t properly escaping add_query_arg(). The Timely team has known about that bug since last April, but did nothing.
Every now and then, the plugin security team has used their most powerful action — directory removal — to spur plugin authors into action. It worked this time. I understand they have to resort to this method of pressure dozens of times per year.
Technically the core security team could opt to auto-push without a plugin author’s permission, but they opted not to in this case. However, I think the author still should request the push, which the team would happily enable.
A lot goes on behind the scenes with regard to managing the plugin repository and WordPress security. This is not an isolated incident, as these are the kinds of issues some folks work on nearly every day.
I thought it would be informative to share this story with readers. All of these commits and updates are technically public, if somewhat difficult to find. However, considering more than 70% of active installs of this plugin are still insecure, I’d advise you not to share publicly the exact nature of this incident until more sites have updated, and rather consider it a learning experience in regard to the considerable effort that goes into managing the repo.
