[wp-trac] [WordPress Trac] #32101: Ability to mark plugin as unmanaged
WordPress Trac
noreply at wordpress.org
Tue Nov 24 04:00:31 UTC 2020
#32101: Ability to mark plugin as unmanaged
-------------------------------------+----------------------------
Reporter: damonganto | Owner: DrewAPicture
Type: task (blessed) | Status: assigned
Priority: normal | Milestone: WordPress.org
Component: Plugins | Version: 4.1.2
Severity: major | Resolution:
Keywords: has-patch needs-testing | Focuses:
-------------------------------------+----------------------------
Comment (by lev0):
It's really not hard to imagine a scenario where someone creates a puppet
WP account, then a non-useless plugin that maliciously targets a site's
custom one. It isn't only the little sites, e.g. one could use the name
''Ari Bloomberg'' to reduce suspicion when attempting to publish a plugin
with the same name as one visible in the markup of
`https://www.bloomberg.com/professional/`. After a plugin gets approved,
the actual published code is not directly from that process but from the
developer's SVN commits, which could include un-vetted malicious
operations. That site may have measures and procedures to mitigate such an
attack but not everyone does. The plugin might be removed promptly but
it'd only take one update to infect a site. It's quite disappointing that
it's still unreasonably difficult to prevent, considering a patch has been
submitted.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/32101#comment:79>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list