[wp-hackers] WordPress Plugin GUID

Stephen Rider wp-hackers at striderweb.com
Fri Jun 5 15:11:54 GMT 2009


On Jun 5, 2009, at 9:42 AM, Ozh wrote:

>> Currently, if a plugin author chooses to self-host his plugin and not
>> list it in the directory, a malicious individual could e-mail Matt  
>> and
>> ask for an entry in the plugin directory with the same slug. Then,  
>> the
>> malicious individual could release an 'update' to the plugin that  
>> could
>> 0wn the blog.
>
> oh my...
> fantastic idea >:]

Hmm... I wonder if a non-Extend hosted plugin could protect itself  
from this?  Put in some code that prevents *itself* from being auto- 
updated by WP?

Something like (untested):


function filter_get_update_plugins( $data ) {
	unset( $data->response['myplugin/myplugin.php'] );
	return $data;
}

add_filter( 'option_update_plugins', 'filter_get_update_plugins' ) );
add_filter( 'transient_update_plugins',  
'filter_get_update_plugins' ) ); // for cached data



More information about the wp-hackers mailing list