[wp-hackers] WordPress Plugin GUID
yahgrp at poplarware.com
Fri Jun 5 14:56:42 GMT 2009
>> Currently, if a plugin author chooses to self-host his plugin and not
>> list it in the directory, a malicious individual could e-mail Matt and
>> ask for an entry in the plugin directory with the same slug. Then, the
>> malicious individual could release an 'update' to the plugin that could
>> 0wn the blog.
Couldn't they also put the same GUID in there as the original plugin?
If you wanted to avoid hijacking of plugins hosted elsewhere, you'd
also need to enforce the idea that the GUID for plugins on wp.org
would be their wp.org full URL. In which case, putting it in
automatically somehow seems like the only/best idea.
Jennifer Hodgdon * Poplar ProductivityWare
Drupal, WordPress, and custom Web programming
More information about the wp-hackers