Skip to content

Codebase Manager

VIP’s Codebase Manager is a service that helps customers keep versions of the plugins in their wpcomvip GitHub repositories secure and up to date. Codebase Manager’s automated security scanning watches for new plugin vulnerabilities that are published to WPScan.

  • Codebase Manager only scans plugins that are located within an application’s /plugins directory.
  • All plugins scanned by Codebase Manager, any available version updates, and identified security vulnerabilities are listed in an environment’s VIP Dashboard Plugins panel.
  • Pull requests to update plugins with available version updates can be initiated from within an environment’s VIP Dashboard Plugins panel.

Plugin information included in pull requests

Information that is included in the pull request description, detailing the affected plugin identified in the customer repository:

  • Details: Source URL of the reported vulnerable plugin in the WordPress.org Plugin Directory.
  • Installed location: Path to the directory matching the reported vulnerable plugin in the GitHub repository branch.
  • Version: The new version of the plugin that is being updated.

To prevent false-positive plugin matches, customers should verify that the (WordPress.org) plugin being updated in the pull request matches the plugin that actually exists within the branch of their repository.

Security information included in pull requests

Additional information included in the pull request about the type and severity of the vulnerability:

  • Title: The title of the reported vulnerability, usually containing the name of the plugin, the affected version(s), and a brief description of the vulnerability.
  • Details: A link to the WPScan site where more details specific to the reported vulnerability can be reviewed.
  • Severity score: Severity rating of the reported vulnerability based on the Common Vulnerability Scoring System (CVSS).

CVSS Ratings

None: 0.0
Low: 0.1-3.9
Medium: 4.0-6.9
High: 7.0-8.9
Critical: 9.0-10.0

Preventing false-positive plugin matches

On rare occasions, the naming convention of a plugin directory can cause Codebase Manager to identify a false positive and generate a pull request. A false positive can occur when the directory name for a custom plugin—or third-party plugin from a different source—is identical the directory name of the WordPress.org Plugin identified in the security vulnerability.

Customers should utilize the Update URI plugin header field in custom plugins to prevent them from being accidentally overwritten by an update of a plugin of a similar name and slug from the WordPress.org Plugin Directory.

Last updated: January 27, 2023