[wp-hackers] WordPress Plugin GUID
wp-hackers at striderweb.com
Fri Jun 5 15:16:16 GMT 2009
On Jun 5, 2009, at 9:56 AM, Jennifer Hodgdon wrote:
>>> Currently, if a plugin author chooses to self-host his plugin and
>>> list it in the directory, a malicious individual could e-mail Matt
>>> ask for an entry in the plugin directory with the same slug. Then,
>>> malicious individual could release an 'update' to the plugin that
>>> 0wn the blog.
> Couldn't they also put the same GUID in there as the original
> plugin? If you wanted to avoid hijacking of plugins hosted
> elsewhere, you'd also need to enforce the idea that the GUID for
> plugins on wp.org would be their wp.org full URL. In which case,
> putting it in automatically somehow seems like the only/best idea.
No, that's the opposite.
He describes a cracker putting a malware plugin in WP-Extend that
update/overwrites your self-hosted plugin.
You describe creating a self hosted plugin that would be update/
overwritten by someone else's WP-Extend plugin. Which isn't very
useful to a cracker....
More information about the wp-hackers