Most WordPress users knows that WordPress plugins should be updated. Updates frequently include patches that fix security vulnerabilities. Part of every WordPress user’s routine should include regular plugin and core updates. But there’s another source of potential vulnerability that WordPress users may not be aware of: many themes include bundled plugins and those plugins are not part of the WordPress update interface.
It was recently discovered that some versions of the Slider Revolution plugin contained a critical vulnerability. This vulnerability is a particular problem because Slider Revolution is included in hundreds of premium themes, which means WordPress users are reliant on theme developers to update the version included in their themes.
In fact, the vulnerability was fixed back in February and it only became widely publicized in the last few days. The plugin’s developers quietly patched the plugin, mentioned the fix briefly in their release notes, but didn’t disclose any details. Unfortunately, the vulnerability was known to hackers, but its seriousness was not revealed to theme developers or WordPress users. That result is that many WordPress sites using themes that bundled the plugin are vulnerable. WordPress users should check their themes and ensure that bundled versions of the Slider Revolution plugin have been updated to 4.2 or later.
Most themes have already been updated and those that haven’t have been removed from ThemeForest, but they may still be available from individual developers, and those who are already using themes with older versions remain vulnerable.
Two issues are brought into prominence by this vulnerability. Firstly, the ethics of withholding information about security vulnerabilities from users and developers, and, secondly, whether theme developers should bundle plugins at all.
While theme developers should keep all bundled plugins up-to-date, they are far more likely to do so if they have information about the seriousness of the problem, which in this case allows attackers to edit the wp-config.php file. It’s perhaps understandable that the plugin’s developers want to minimize the impact to their business, but keeping a vulnerability’s details secret while it it is being actively exploited is not the most user-focused approach.
A number of theme developers cite instances like this as a reason that they decline to include bundled plugins. In addition to the potential security hazard, there are also support issues with bundled plugins—do users turn to the plugin developer or to the theme developer if they need help or have a bug to report?
What do you think? Are bundled plugins a good idea or do the problems they cause outweigh the benefits?