[wp-meta] [Making WordPress.org] #4661: W.org plugins directory displays wrong version in advanced view

Making WordPress.org noreply at wordpress.org
Wed Aug 7 17:52:00 UTC 2019

#4661: W.org plugins directory displays wrong version in advanced view
 Reporter:  KestutisIT        |       Owner:  (none)
     Type:  defect            |      Status:  closed
 Priority:  normal            |   Milestone:
Component:  Plugin Directory  |  Resolution:  wontfix
 Keywords:  needs-patch       |

Comment (by KestutisIT):

 @Ipstenu - thanks for clearing this up. As I have a partnership with
 PayPal and did many PayPal integrations, I can confirm that the most
 secure way for this, is to generate SHA2-512 or RSA *.cert file for each
 plugin after it is released and keep that file in plugins folder. The cert
 will ensure that request is coming from that exact plugin. It should be an
 URL of W.org and plugin's admin dashboard image icon checksum or
 Plugin/Plugin.php (main file with meta description) or just a meta
 description checksum. It won't be a checksum of whole zip, but at least of
 that one thing it could be. Otherwise I can how hack any plugin of W.org
 putting there random information and submitting to report, even maybe
 '1.0-EVIL' version to i.e. bbPress. And this will be see on reports screen
 for everyone, as I can print there any message I want with version as long
 as it match the Semver rule, and Semver allows to name the release. So
 that's a security risk.

Ticket URL: <https://meta.trac.wordpress.org/ticket/4661#comment:5>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list