[wp-hackers] WordPress Plugin GUID

Jeremy Visser jeremy at visser.name
Fri Jun 5 12:06:09 GMT 2009


On Thu, 2009-06-04 at 15:11 -0700, Lloyd Budd wrote:
> The Plugin GUID would get sent to the plugin directory when checking
> for updates. If the GUID does not match any known plugin in the
> directory, it would just skip that plugin during the update check. If
> it matches, use that match. No longer do any heuristic matches between
> titles, urls, etc.

This is a great idea from a security perspective.

Currently, if a plugin author chooses to self-host his plugin and not
list it in the directory, a malicious individual could e-mail Matt and
ask for an entry in the plugin directory with the same slug. Then, the
malicious individual could release an 'update' to the plugin that could
0wn the blog.

However, having a GUID in place means users won't automagically get
updates to their plugins if a plugin author decides to have their plugin
hosted in the directory after a large quantity of users have already
downloaded a version that doesn't have a GUID.

I guess WordPress would have to still offer updates for plugins that
don't have a local GUID, but the slug matches. Or does that defeat the
purpose, or not make sense?



More information about the wp-hackers mailing list