Back in September 2019 I developed my Greetings byGosh plugin, got it approved, and uploaded it to the WP Plugin Repository. Just recently, I released an updated version, following this guide: How to update an existing WordPress plugin SVN repository.
In the past I’ve seen reports of malware being distributed using a plugin in the official WP Repository. I was curious how that could happen. I know from experience that the WP plugin review and approval process is very rigorous. I turns out the rigorous review and approval process is applied only to new plugins. Updated versions of existing plugins receive no review at all, and no approval is needed! A malicious person could develop a benevolent plugin, or purchase the rights to an existing plugin (the latter seems to be more common for this purpose), then add malware to the next version update. Unsuspecting users would then install the malware when they update the plugin on their site – or it auto-updates on its own.
This seems like a major security hole. And, I’m not sure the good people at WordPress can do anything about it. It would be overwhelming to review every updated version of every plugin. I’m not sure WP site owners can do anything either. This scares me.
