[wp-hackers] WordPress Plugin GUID

Stephen Rider wp-hackers at striderweb.com
Fri Jun 5 15:11:54 GMT 2009

On Jun 5, 2009, at 9:42 AM, Ozh wrote:

>> Currently, if a plugin author chooses to self-host his plugin and not
>> list it in the directory, a malicious individual could e-mail Matt  
>> and
>> ask for an entry in the plugin directory with the same slug. Then,  
>> the
>> malicious individual could release an 'update' to the plugin that  
>> could
>> 0wn the blog.
> oh my...
> fantastic idea >:]

Hmm... I wonder if a non-Extend hosted plugin could protect itself  
from this?  Put in some code that prevents *itself* from being auto- 
updated by WP?

Something like (untested):

function filter_get_update_plugins( $data ) {
	unset( $data->response['myplugin/myplugin.php'] );
	return $data;

add_filter( 'option_update_plugins', 'filter_get_update_plugins' ) );
add_filter( 'transient_update_plugins',  
'filter_get_update_plugins' ) ); // for cached data

More information about the wp-hackers mailing list