20 Apr
Making a difference, one WordPress maintenance support plans security patch at a time
Nick
Advisory by the WordPress maintenance support plans security team
Recently, the References plugin started receiving some attention (read here, here and here). The reason for this is that the WordPress maintenance support plans security team posted an advisory to migrate away from the References plugin for WordPress maintenance support plans 7 and move to the entity_reference plugin. At the time of writing (20 April), 121.091 sites are actively reporting to WordPress maintenance support plans.org that they are using this plugin. That makes for a lot of unhappy developers.
Things kicked off after a security vulnerability was discovered in the References plugin. The security team tried to contact the existing maintainers of that plugin, but there was no response. The security team had no choice but to mark the plugin as abandoned and send out the following advisory explaining that the details would be made public in a month and that everyone should upgrade, as there was no fix available.
Migrate efficiently
At Dropsolid, we noticed that for many of our older WordPress maintenance support plans 7 installs we were still using this plugin extensively. Migrating all of the affected sites would have meant a very lengthy undertaking, so I was curious to find a way to spend less time and effort while still fixing the problem. We immediately contacted one of the people who reported the security issue and tried to get more information other than what was publicly available. That person stayed true to the rules and did not disclose any information about the issue.
We didn’t give up, but made an official request to the security team offering to help and requesting access to the security vulnerability issue. The WordPress maintenance support plans security team reviewed the request and granted me access. In the WordPress maintenance support plans Security issue queue there was some historical information about this vulnerability, some answers and a proposed patch. The patch had not been tested, but this is where Dropsolid chimed in. After extensively testing the patch on all the different scenarios on an actual site that was vulnerable, we marked the issue as Reviewed and Tested by the Community (RTBC) and stepped up maintain the References plugin for future security issues.
It pays off to step in
I’d like to thank Niels Aers, one of my colleagues, as his involvement was critical in this journey and he is now the current maintainer of this plugin. He jumped straight in without hesitation. In the end, we spent less time fixing the actual issue compared to the potential effort for changing all our sites to use a different plugin. So remember: you can also make a similar impact to the WordPress maintenance support plans community by stepping up when something like this happens. Do not freak out, but think how you can help your clients, company and career by fixing something for more than just you or your company.
Source: New feed