Codebase Manager

VIP’s Codebase Manager is a service that helps customers keep versions of plugins and themes in their wpcomvip GitHub repository secure and up to date. Codebase Manager’s automated security scanning watches for new vulnerabilities that are published to WPScan.

Leveraging the WPScan API, Codebase Manager scans the wpcomvip GitHub repository codebase of VIP WordPress applications. Customers are informed of known security vulnerabilities and available version updates identified by the scans in two ways:

• Codebase: Plugins – Identified security vulnerabilities and available version updates for plugins already deployed to application environments are reported in the VIP Dashboard Plugins panel.
• The Bot’s Vulnerability and Update Scan – Security vulnerabilities and available version updates for plugin and theme code are identified and reported by the VIP Code Analysis Bot in pull requests.

WPScan CVSS ratings

Known vulnerabilities are assigned a rating based on the Common Vulnerability Scoring System (CVSS).

None: 0.0
Low: 0.1-3.9
Medium: 4.0-6.9
High: 7.0-8.9
Critical: 9.0-10.0

Preventing false-positive matches

On rare occasions, the naming convention of a plugin or theme directory can cause Codebase Manager to identify a false positive match. A false positive can occur when the directory name for a custom plugin or theme—or third-party plugin or theme from a different source—is identical or similar to the directory name of a WordPress.org plugin or theme.

To prevent false-positive matches, customers should:

• Verify that the (WordPress.org) plugin or theme reported by Codebase manager as having a vulnerability or an available update is an accurate match for the plugin or theme in their application repository or scanned pull request.
• Utilize the Update URI header field in custom plugins and themes to prevent them from being accidentally overwritten by an update of a plugin or theme from the WordPress.org Plugin Directory that has a similar name and slug. In plugins the Update URI header should be added to the header file, and for themes it should be added to the main stylesheet. The Bot’s WPScan Analysis supports the Update URI header for themes, even though it is not supported by WordPress itself.

A plugin or theme will be ignored by Codebase Manager scans if the Update URI header is assigned as false, or assigned a value that does not contain WordPress.org or w.org.