In March 2024 our plugin, WooCommerce Checkout Field Editor, was temporarily withdrawn from the WordPress.org Plugin Directory after a security report identified a Cross-Site Request Forgery (CSRF) weakness. The plugin was removed briefly so we could resolve the report and ensure our users remained safe.
We take security seriously. As of March 15, 2024, the WordPress.org team confirmed they reviewed our changes and relisted the plugin. Below we explain what happened, what we changed, and most importantly what we’re doing to regain the visibility and trust that you, our users, rely on.
What happened (short timeline)
- March 7, 2024: We received notice that the plugin was temporarily withdrawn due to a CSRF vulnerability. The notification included a Patchstack report and guidance on fixes.
- March 7–15, 2024: We performed a full review, implemented fixes, increased the plugin version, updated the code in SVN, and followed WordPress.org submission guidance.
- March 15, 2024: WordPress.org reviewed our release and relisted the plugin with a confirmation email that the changes address the report.
What we fixed
- Patched the reported CSRF vectors and strengthened nonce usage across admin and AJAX endpoints.
- Performed a full security and standards review of the entire plugin codebase.
- Bumped the plugin version and updated the tested up to value in the readme to the latest WordPress release at the time.
- Adopted safer coding patterns for input validation and capability checks where appropriate.
New and improved features
Alongside the security fixes, we used this opportunity to ship a few quality-of-life improvements requested by users:
- Improved validation and sanitization for custom fields.
- Better error messages and logging for easier debugging.
- Minor UX improvements in the admin field editor for quicker field reordering and clearer labels.
Why transparency matters
We believe in being open and honest about security incidents. Temporarily removing the plugin from distribution is unpleasant, but it prevents potentially exploitable code from reaching users. We appreciate the WordPress security team for the guidance and for prioritizing user safety.
What we’re doing to restore ranking and visibility
After the temporary removal, we noticed downgraded ranking on WordPress.org and in Google search results. That’s expected when a plugin is removed or downtime happens, indexing & ranking signals can be affected. We’ve put together a plan to recover and improve our discoverability (see the checklist below).
How you can help
If the plugin has helped you, the fastest ways to help us regain visibility are:
- Update to the latest plugin version and leave an honest review on the plugin page.
- Share the plugin page or this blog post on social media or relevant communities.
- Report any issue you find — security or otherwise — via our support channel so we can address it quickly.
If you have questions or want a private security audit for customizations, get in touch: https://jcodex.com/support/
Thank you for your continued trust. We’re committed to keeping the plugin secure and useful for your store.
Junaid Ali, CEO, JCodex Technologies
