[wp-hackers] WordPress Plugin GUID

Stephen Rider wp-hackers at striderweb.com
Fri Jun 5 12:30:18 GMT 2009

On Jun 5, 2009, at 7:06 AM, Jeremy Visser wrote:

> On Thu, 2009-06-04 at 15:11 -0700, Lloyd Budd wrote:
>> The Plugin GUID would get sent to the plugin directory when checking
>> for updates. If the GUID does not match any known plugin in the
>> directory, it would just skip that plugin during the update check. If
>> it matches, use that match. No longer do any heuristic matches  
>> between
>> titles, urls, etc.
> This is a great idea from a security perspective.
> Currently, if a plugin author chooses to self-host his plugin and not
> list it in the directory, a malicious individual could e-mail Matt and
> ask for an entry in the plugin directory with the same slug. Then, the
> malicious individual could release an 'update' to the plugin that  
> could
> 0wn the blog.
> However, having a GUID in place means users won't automagically get
> updates to their plugins if a plugin author decides to have their  
> plugin
> hosted in the directory after a large quantity of users have already
> downloaded a version that doesn't have a GUID.
> I guess WordPress would have to still offer updates for plugins that
> don't have a local GUID, but the slug matches. Or does that defeat the
> purpose, or not make sense?

I agree that without the GUID it shouldn't offer the update (that is,  
only auto-update plugins that came from WP-Extend).

And this is from a guy who doesn't host on WP-Extend. ;)


Stephen Rider

More information about the wp-hackers mailing list