Review Severe Security Vulnerabilities

Hello @perrydc,

Thank you for contacting the support.

It seems like these are false positives, and these tests are mostly applicable to the WP VIP customers.

The escaping is done properly everywhere. It must be a false positive because the escaping might not be done where the tool expects it to be.

Did your developer check them manually or used a tool to check these?

They can check the lines manually where the errors are showing up in the tool.

Looking forward to sorting this asap.

Thank you for your attention to this matter. Rank Math is central to our growth strategy, so I am motivated to work with you to resolve these issues and also help you open up your plugin to more restrictive sites on wordpress VIP and other strict security platforms.

Our site is not on VIP (we use Alley Interactive), but the developer uses VIP’s linting tool to assess issues before approving any plugin. Although I have not worked directly with VIP, I have worked with other major Automattic-approved developers who use similar linting tools and don’t currently offer RankMath as an option. If these are false positives, they are scaring away many potential clients of RankMath.

We can, as you suggest, go through these on a line by line basis, but there are over 800 lines that were flagged as critical or severe security issues by the VIP linter. Manually reviewing each line will take weeks at our present contract allocation and consume thousands of dollars in developer time that I need to apply to other priorities. If we eat the cost of that review, it will only open up Rank Math to other clients of Alley and only for a limited time, since future updates to the plugin will need to be reviewed on a line by line basis.

Would it be possible for you to explore whether there is a simple change to your code that might knock out a high percentage of these issues? If you are amenable, I can connect you with our lead developer and also share details on our linter. I believe an investment in silencing these security flags on your side will yield a larger customer base.

If you are not amenable to updating your code (because you do not regard them as true security vulnerabilities), perhaps you could supply me with a list of development shops in the US who have high security standards and also allow deployment of your plugin.

I know RankMath works (and I’ve seen its impact on site traffic for other properties I’ve managed in the past), so I will find a way to make this happen, one way or another.

Hello @perrydc

Thank you for your patience.

Can you please test with the following branch?
https://github.com/rankmath/seo-by-rank-math/tree/vip-improvements

Please let us know how that goes.

Hi @rankmathteam

Thank you for pulling this together! The team at Alley is reviewing this branch in our next cycle (complete 9/7). I will let you know if they have any further concerns after running this branch through their linting tool.

Thank you!

Hello @perrydc,

Let us know how that goes.

Please don’t hesitate to create a new forum topic if you need our assistance with anything else in the meantime.

Looking forward to hearing back from you.

Thank you.

Alley has approved this branch for deployment, however, they have identified a few remaining security issues which we should probably take offline since these are vulnerabilities that could be exploited. Please email me and I’ll send you the results of their branch review: perrydc AT gmail DOT org.