Project

General

Profile

Actions

Documentation #25155

closed

Anthologize plugin

Added by scott voth 27 days ago. Updated 4 days ago.

Status:
Resolved
Priority name:
Normal
Assignee:
Category name:
WordPress Plugins
Target version:
Due date:
% Done:

0%

Deployment actions:

Description

When reviewing documentation on Anthologize, I saw that wordpress.org has made it unavailable due to security issue. See attached screenshot. Is this something we should be concerned about?


Files

2026-06-21_17-01-22.jpg (56.3 KB) 2026-06-21_17-01-22.jpg scott voth, 2026-06-21 05:09 PM
Actions #1

Updated by Raymond Hoh 26 days ago

Thanks Scott. It looks like the security issue is outlined here: https://patchstack.com/database/wordpress/plugin/anthologize/vulnerability/wordpress-anthologize-plugin-0-8-3-cross-site-request-forgery-csrf-vulnerability. Note that the description lists this with a low severity impact and is unlikely to be exploited.

A Github user has addressed this issue and offered some other improvements in a pull request with help from Claude here - https://github.com/chnm/anthologize/pull/118.

Boone, can you review when you've had a chance?

Actions #2

Updated by Boone Gorges 18 days ago

  • Status changed from New to Staged for Production Release
  • Target version set to 2.7.7

Thanks for the pointer, Ray.

The Patchstack report doesn't specifically say where the CSRF vulnerability is, but I can say with certainty that there's a number of places through the Anthologize plugin where nonces ought to be utilized but are not. As you said, though, the risks here are minimal.

My previous experience with issues of this type suggests that, in order to get Anthologize relisted on wordpress.org, the plugin will need to go through the full plugin audit process. I just did a scan using the plugin-check tool and it confirms my fears that such an audit would turn up hundreds of issues that would need manual fixing. This is beyond the scope of what I can reasonably do for a tool that is so old and so little used. The linked PR appears to be an AI-generated attempt to bring the plugin (sorta) up-to-date, but simply reviewing this PR would take many hours of testing.

Anthologize is sufficiently old and unmaintained that I think we should hide it from being activated in the future. I've gone ahead and made this change in https://github.com/cuny-academic-commons/cac/commit/da749b06f0faba0325e26eca8239d60e9143d905 I don't see a reason at this time why we need to remove it from the codebase.

Actions #3

Updated by Boone Gorges 4 days ago

  • Status changed from Staged for Production Release to Resolved
Actions

Also available in: Atom PDF