[wp-hackers] WordPress Plugin GUID

Stephen Rider wp-hackers at striderweb.com
Fri Jun 5 15:16:16 GMT 2009

On Jun 5, 2009, at 9:56 AM, Jennifer Hodgdon wrote:

>>> Currently, if a plugin author chooses to self-host his plugin and  
>>> not
>>> list it in the directory, a malicious individual could e-mail Matt  
>>> and
>>> ask for an entry in the plugin directory with the same slug. Then,  
>>> the
>>> malicious individual could release an 'update' to the plugin that  
>>> could
>>> 0wn the blog.
> Couldn't they also put the same GUID in there as the original  
> plugin? If you wanted to avoid hijacking of plugins hosted  
> elsewhere, you'd also need to enforce the idea that the GUID for  
> plugins on wp.org would be their wp.org full URL. In which case,  
> putting it in automatically somehow seems like the only/best idea.

No, that's the opposite.

He describes a cracker putting a malware plugin in WP-Extend that  
update/overwrites your self-hosted plugin.

You describe creating a self hosted plugin that would be update/ 
overwritten by someone else's WP-Extend plugin.  Which isn't very  
useful to a cracker....


Stephen Rider

More information about the wp-hackers mailing list