Pretty Link Plugin for WordPress has a new security update to fix a cross-site scripting vulnerability.
Pretty Link Lite Version 1.5.6 and Pretty Link Pro Version 1.5.6 were released on January 6, 2012. And according to the plugin's Changelog, the vulnerability could have affected a very small number of users.
I'm not exactly sure what they mean by “a very small number of users,” but the plugin has been downloading 392,206 times. Last week the plugin was downloaded 10,497 times.
Although I love the functionality of this plugin and use *Pretty Link Pro, my concern is the number of “security fixes” it has listed on it's changelog.
- Version 1.5.6 – Fixed a cross-site scripting vulnerability that could have affected a very small number of users.
- Version 1.5.4 – Fixed XSS Vulnerability
- Version 1.5.1 – Fixed another XSS Vulnerability and made some big security enhancements
- Version 1.5.0 – Fixed XSS Vulnerabilities
However, I am happy that the developer makes these necessary security updates.
If you're using the Pretty Link Plugin, I highly recommend you upgrade to 1.5.6 immediately.
UPDATE: January 9, 2012
Blair Williams, the developer of Pretty Link, clarified things for us in his comment:
Hey there Regina … I just wanted to clarify that we have recently been going through the code to proactively eliminate any security issues and have made some great changes to protect our users. We've also had 3 independent security audits as well which have turned up some cross site scripting issues that we cleaned up quickly.
We're trying our best to address any security vulnerabilities we find within 24 hours of verifying them — we really want our users to have the safest experience possible using our products.
As for the phrase “small number of users” … in this case it just means that a) if your site is running on a properly configured web-host you'd never be affected by these issues b) we never had any reports from our users that they had problems with these and c) I'd be very surprised if any of our users had any issues with any of these issues.
Hope that helps clarify 🙂 …
Leave Your Feedback
Are you using Prettylink on your WordPress blog? Or do you recommend another link shortener/tracker? Have you been affected by any of the vulnerabilities from this plugin? Please leave your comment below.
Securely yours,
Regina Smola
WordPress Security Expert
Follow me on Twitter
Follow WPSecurityLock on Twitter
Become a Facebook Fan
* Denotes our Affiliate Link. If you a make a purchase through this link, we may receive a commission. See our Disclosure.
Hey there Regina … I just wanted to clarify that we have recently been going through the code to proactively eliminate any security issues and have made some great changes to protect our users. We’ve also had 3 independent security audits as well which have turned up some cross site scripting issues that we cleaned up quickly.
We’re trying our best to address any security vulnerabilities we find within 24 hours of verifying them — we really want our users to have the safest experience possible using our products.
As for the phrase “small number of users” … in this case it just means that a) if your site is running on a properly configured web-host you’d never be affected by these issues b) we never had any reports from our users that they had problems with these and c) I’d be very surprised if any of our users had any issues with any of these issues.
Hope that helps clarify 🙂 …
Hi Blair,
Thanks so much for your comment. I truly appreciate you taking the time to clarify things. It shows your dedication to all our site’s security and that you actively support the users of your plugin.
I’ve been a user of Pretty Link for quiet awhile now and liked it so much I upgraded to Pro.
I’ve always used Go Codes:http://wordpress.org/extend/plugins/gocodes/ which Michael Gray recommends. And it’s always worked great. However, it’s been very rarely updated. It would be interesting to see a comparison between the two plugins.
Hi Greg,
Thanks for the recommendation. I checked out that plugin and that’s very scary! GoCodes hasn’t been updated since 2009.
Here’s my quick comparison:
Pretty Link Lite Tested on 3.3.1
GoCodes version 1.3.4 Tested on 2.8
Pretty Link Lite Updated 1/6/2012
GoCodes Updated 6/13/2009
Pretty Link Lite Author Support
http://profiles.wordpress.org/users/supercleanse/ < Answers questions on the WordPress Support Forum and is active in the community. Blair Williams has also reached out to our community (see update in post above).
GoCodes Author Support: None
His profile is so old that there's no link to it. However, I did find his "new" (?) profile here: http://wordpress.org/support/profile/redwallhp and he did respond to a support question about 4 months ago. But there are still others with issues, but no help has been provided to them yet.
Additional Concerns:
Gocodes Other Notes:
Version 1.3.3 – Hopefully the PHP4 bug in the 1.3.x line has been fixed, finally. <<< What about PHP5?
In conclusion:
My biggest concern is using old/outdated plugins, no technical support from plugin authors, and bad code.
I'm sticking with Pretty Link Pro 🙂 At least I know it's supported, current, and I can reach out to the author anytime.
Support is a huge issue for all WordPress plugins. A lot of SEO and marketing plugins suffer from a lack of updates. As most authors soon realize they get very little from writing plugins except an unpaid customer service job.
Pretty links looks like it’s automation feature might also replace another aging plugin I’ve used for internal linking of keywords.
Thanks for your input Greg. I hear ya on the lacks of updates. I run into that myself all the time working on client’s websites. It takes a real commitment to run a free and premium plugin.
I’ve got Pretty Links Pro, but don’t utilize all of it’s built-in features yet. Hopefully I’ll find time to check them all out.
I would stay with version 1.56 for a while, unfortunately, I upgraded automatically to 1.57, and it caused no end of problems, see Google for public_html/wp-content/plugins/pretty-link/classes/models/models.inc.php on line 26 error.
If it happens to you, do not log out, just uninstall 1.57, and download 1.56 from here http://wordpress.org/extend/plugins/pretty-link/download/