Sprout Invoices: Same Free Plugin, Just More Secure


Description of Events

At the beginning of September, we received an email from the WordPress Plugin Review Team notifying us that the free version of Sprout Invoices in the wordpress.org plugin repository had a couple of coding vulnerabilities. 

Upon receiving this email, our development team jumped into action and began addressing the issues provided in the email. Within a couple of weeks, we released a hotfix patch that addressed all the issues in the email and started working on our next release. Unfortunately, the original email only included pointed examples and was not a complete list of the fixes we needed to implement. About a month after receiving the first email, we received a second email stating that we were being removed from the plugin repository for not complying with the first email, and to again ask if we had any questions. Upon messaging WordPress, we found that the original email only provided a few examples of issues that needed to be addressed and that there were some additional lines of code we needed to update to meet standards.

What was the vulnerability

The code that needed to be updated only provided a vulnerability for people who had user accounts for your WordPress site. Meaning it wasn’t a vulnerability that just anyone could exploit, it would have to have been a customer or employee with malicious intent towards you and or your site. Now that these vulnerabilities have been patched, this access has now been revoked.

Our corrective action

You may not have even noticed the plugin was taken off the wordpress.org repo, but if you did, you will be happy to know that we are back on the approved list and all vulnerability concerns have been addressed. We wanted to share this learning experience with you for a couple of reasons. The biggest being we believe that full transparency with our customers is paramount, and the second is that we hope our developer-based customers can also learn from our mistakes to save some headaches. The biggest takeaway we got, ALWAYS reply to the first email and ask for the full list of issues that need to be addressed.