As a leading contributor to WordPress, 10up is committed to the cultivation of a vibrant, collaborative, and healthy open-source ecosystem. We strive to strengthen open platforms and tools through responsible stewardship, and embrace the concept that “given enough eyeballs, all bugs are shallow.”
Last week, that work included helping a popular WordPress plugin with 90,000+ installs fix a critical security vulnerability.
On June 9, 2021, a 10up Engineer conducted a routine code review of the FileBird plugin on behalf of a client. The code review followed 10up’s Engineering Best Practices and focused on areas that did not pass our initial automated scans. It uncovered that the code was vulnerable to a Blind SQL Injection attack — a clever type of exploit that involves sending “yes or no” questions to MySQL to extract information from the database when it cannot be output directly to the browser.
That same day, our team responsibly disclosed the vulnerability. We reached out to the team at WPScan, who we’ve previously collaborated with on our WP-CLI Vulnerability Scanner and WordPress Composer Scanner, to report the vulnerability and collaborate on disclosure.
The FileBird plugin authors responded quickly and responsibly, and issued a patch within 36 hours.
This is a critical vulnerability that only impacts version 4.7.3 of the FileBird plugin. It does not impact any previous versions and has been patched in version 4.7.4. All users of FileBird version 4.7.3 are advised to upgrade immediately.
While we plan on sharing more information about the vulnerability at a later date, we are holding back to give site owners time to update the plugin and secure their sites.
From global consumer brands to vital government agencies, 10up supports high-profile, mission-critical projects where information security is crucial to continuity of operations. 10up’s full-stack team of Engineers, including those dedicated to security and open source initiatives not only enable us to quickly operationalize synergies between client work and open source, but build a better web for everyone, including FileBird’s 90,000+ users.
If you want to work for a company that cares about open source and makes amazing projects and tools for WordPress, come work with us!