WordPress Plugin Security Vulnerability: Missing Validation on TLS Connections
Closed this issue · 2 comments
On a regular review of plugins hosted on WordPress.org, we have determined a number of plugins are disabling TLS verification. This generally happens when a developer includes direct CURL calls in their code which can be harmful for end users in certain situations.
This impacts the following plugins you have commit access to:
We recommend you cease including your own CURL code and instead use the HTTP API. It's both faster and more extensive. It'll fall back to CURL if it has to, but it will use a lot of native WordPress functionality first. Most importantly, it won't disable TLS verification. Learn more about the HTTP API here: https://developer.wordpress.org/plugins/http-api/
For an in-depth analysis of the issue, its impact, and why we discourage the use of CURL, please review the following links:
- https://paragonie.com/blog/2017/10/certainty-automated-cacert-pem-management-for-php-software
- https://www.htmlcenter.com/blog/please-stop-using-curl-in-wordpress-plugins/
Keep in mind, WordPress includes cacert.pem so if you use the HTTP API you won't need to.
Please let us know if you have any questions. If you no longer wish to maintain your plugins, simple reply to let us know and we can permanently close them for you.
- WordPress Plugin Directory team
ready to release