Back in June we suspended notifying the WordPress Plugin Directory of publicly disclosed vulnerabilities in the current versions of plugins until WordPress put forward concrete plans to fix two of the many issues that there currently are with their handling of security related issues. That has meant there are currently plugins with 100,000s of active installs that are currently in the Plugin Directory that have disclosed in the most recent versions, as no one else has taken up doing that (no one appears to have been doing that before we had done it either).

One of the issues we said needed a concrete plan on fixing it was the moderation of the Support Forum, as not only has the current poor handling directly gotten in the way of fixing vulnerabilities,  but we have found that it has dissuaded those knowledgeable on security from participating. That leads to inaccurate security information going uncorrected, for example a couple of days ago someone posted threads for two plugins titled “WARNING: Exploit found in this plugin!”. For one of them the vulnerability was fixed two years ago. For the other plugin the vulnerability has never existed in that particular plugin, it existed in a precursor plugin (though it turns out that a similar vulnerability exists in that newer plugin, which we have now reported to the developer). We could easily have provided that information but considering how often stuff we have written gets edited or deleted even when people are thanking us for the information (in that case the thank you comment was also deleted), it isn’t something we would normally do anymore, which is a loss for the WordPress community.

That editing and deletion isn’t supposed to be happening, here is the stock answer provided for moderators to respond with if they are asked to edit or delete something:

Generally speaking, posts are only edited or removed where to do otherwise might lead to serious consequences. Previous examples have included posts that accidentally incorporated proprietary code or where the poster asking has reason to fear for their online safety. Having a posted site url come up in Google in NOT a serious consequence. In each case, use your best judgement or ask for a second opinion. If the final decision to to leave the post “as is”, use something like:

When a post is made and people contribute answers to an issue, that then becomes part of the community resource for others to benefit from. Deleting posts removes this added value. Forum topics will only be edited or deleted if they represent a valid legal, security, or safety concern.

Clearly thanking someone doesn’t match those supposed reasons and removing useful information that lead to us being thanked is as that says, removing added value.

What was the breaking point for us that lead to us suspending our reporting to the Plugin Directory was a situation where a moderator falsely claimed we had disclosed a vulnerability on the Support Forum and deleted what we had actually said, which would have allowed others to see that their claim wasn’t true, shortly after we had left the reply. But in those previously mentioned threads about an exploit someone really was disclosing vulnerabilities and their comments are still up.

The other day we did respond to something because it directly referred to us and it was the promptly deleted as well. In a thread related to Postman SMTP and why it was removed, which seems to be because of a vulnerability we discovered and disclosed, we were referred to and it contained quite a bit of inaccurate information.

What we found particularly troubling concerning us was this:

If I am feeling indignant, it is because that if the author was apparently able to be reached, as claimed by one of the respondents in the post written by the people who demonstrated the “proof of concept”, then why did the authors of the post not manage to do the same, and then follow the correct procedures by working with WordPress Core and the Author to release a patch before announcing it in public and disseminating widespread alarm.

We disclosed the vulnerability in June and there was not “widespread alarm” at the time. If anyone is causing that type of alarm with this type of vulnerability it would be better to look at another company mentioned in the thread, Wordfence, which just a couple of months incorrectly claimed that another vulnerability of the same type “will be exploited by attackers”.

We had in fact tried to contact the developer and were not able to get in touch with them, even after people were able to get in touch with them it hasn’t lead to the vulnerability being fixed (which isn’t uprising as the plugin doesn’t appear to have been maintained for some time).

We also explained in our reply why we had suspended working with the Plugin Directory team and what that has meant for the security of WordPress. That seems like important information, but the moderators of the WordPress Support Forum don’t appear to have  wanted you to be able to see that.

Our reply didn’t have anything that could be classified as representing “a valid legal, security, or safety concern”, unless a security concern is knowing that WordPress is not handling security well.

What seems more problematic with that, is that the comment directly before ours in that thread, which simply said something along the lines of “hear, hear”, was also removed. That clearly isn’t a violation of the criteria they lay out for why something should be removed.

Another issue in this thread was that there was a claim that Wordfence had answered why the Postman SMTP plugin was removed from the Plugin Directory, when in fact they just speculating like everyone else. The other item we said needs a concrete plan for fixing before we started notifying the Plugin Directory again is in fact making it so that people would actually know why plugins are removed.

We don’t what is more troubling here, that a moderator upon seeing that the poor moderation if leading to websites being less secure thinks the correct response is to continue with the poor moderation or that the moderators appear to be delete all sorts of stuff (like the other comments that got deleted beside in two of those instances) while claiming they are very circumspect in what they would delete.