[wp-hackers] WordPress Plugin GUID

Jennifer Hodgdon yahgrp at poplarware.com
Fri Jun 5 14:56:42 GMT 2009

>> Currently, if a plugin author chooses to self-host his plugin and not
>> list it in the directory, a malicious individual could e-mail Matt and
>> ask for an entry in the plugin directory with the same slug. Then, the
>> malicious individual could release an 'update' to the plugin that could
>> 0wn the blog.

Couldn't they also put the same GUID in there as the original plugin? 
If you wanted to avoid hijacking of plugins hosted elsewhere, you'd 
also need to enforce the idea that the GUID for plugins on wp.org 
would be their wp.org full URL. In which case, putting it in 
automatically somehow seems like the only/best idea.


Jennifer Hodgdon * Poplar ProductivityWare
Drupal, WordPress, and custom Web programming

More information about the wp-hackers mailing list