I got an e-mail today from someone who noticed that my old Top Commenters plugin had been included as a target in some automated tool that searches for WordPress blogs that allow for links to be posted for the purpose of SEO manipulation.
There are a couple mitigating factors explaining why I don’t plan to do anything about it.
- I don’t update / maintain this (or, currently, any other) plugin anymore.
- It was only very early versions of the plugin that passed the commenter URL through to the “Top Commenters” list (this is the nature of the “exploit”). As of a version released in December 2006, it only uses the URL of registered users.
- Even if it hadn’t been “fixed” years ago and I felt the need to issue an update to address the “problem” now, these people have obviously gone without updating this plugin for years, so it’s extremely unlikely that any of them would apply this one.
I’m interested in other thoughts as to what (if anything) I could / should do about this news.
UPDATE – I do not plan to link to the “tool” here, for obvious reasons, but I did see the page that displayed it, explained the “hole”, and even included a YouTube video showing how to find vulnerable blogs. At least they’re trying to be professional about it, I guess.