Siobhan McKeown has published a disturbing yet not out of the ordinary article that explains how a couple of plugins were recently added to the plugin repository that were using a version of J-Query from J-Query.org which after investigation proved to be a fake website. The purported J-Query file was actually propagating sites with CPA Infinity Affiliate Links. After the article was published, Otto responded in the comments to make note that the plugins were removed and the user who uploaded them has been banned. This is yet another reminder that the WordPress plugin repository is a powerful place to do naughty business for those that can get past a couple pair of eyeballs and not get noticed right away.
For the future, Otto recommends doing the following if you spot something malicious within a plugin on the repository:
Obviously malicious code doesn’t last long before somebody spots it (this one only lasted a week before somebody noticed, and it would have been removed that same day if anybody had reported it to us at email@example.com), but unintended security holes can become widely propagated for a longer period of time, leading to issues when hackers find and exploit them. So they are of a somewhat higher priority to find.
Apparently, reporting offending plugins to that email address gets swifter action than anything else. Although not related specifically to this story, I think it’s good to be reminded of June 21, 2011 when a number of suspicious commits were made to popular plugins after hackers gained access to the plugin repository. Thankfully, those commits were caught in a short period of time but there is no guarantee that they would catch them in time again.
And how do plugin developers get their plugins back into the repository if they’ve been pulled due to a security bug but later fixed?
AdRotate was pulled, fixed but the developer has been having a hell of a time getting it back in the repository.
I don’t know the guy, I use his plugin and it’s a shame Arnan has run into a dead-end. His dealings with WordPress.org remind me of how it is to deal with Google. I must admit that me myself when I’ve had an issue with something like the Intense Debate plugin I got an email from Matt himself apologizing. Personal reply or boilerplate letter it doesn’t matter as it was still a quick response and I’m grateful for WordPress.org for being responsive.
You can read about Arnan trying to get back into the plugin directory here: