Earlier today in a post providing the details of a vulnerability that has been fixed in the plugin Starbox, which is currently removed from the Plugin Directory, we noted there was confusion over the removal of the plugin. In a thread about the issue, “Why was StarBox removed from the WordPress repository?“, a member of the Plugin Directory team had responded to a question about why the plugin was removed with the following:
Yes, I do. It’s not a serious concern. Relax. 🙂
The questioner then responded:
I’m glad it’s not a security reason and so now I can re-enable the plugin.
The answer given didn’t say it wasn’t a security issue and there is one. While it isn’t something likely to be exploited on the average website, as discussed in the details post, for some websites it could be considered a serious concern.
We then left a reply on the thread to see if the terrible moderation of the Support Forum that we discussed last week would strike when simply clearing up that confusion. Here is what we wrote:
He didn’t say it wasn’t a security issue, just that it was “not a serious concern”.
What is probably more accurate to say based on what has been fixed in it since the plugin was removed, is that it is a not a serious concern for the average website, but for high profile websites it could be of more concern.
Our comment was promptly deleted.
As we mentioned in the previous post, that type of deletion isn’t supposed to be happening. Here is the stock answer provided for moderators to respond with if they are asked to edit or delete something:
Generally speaking, posts are only edited or removed where to do otherwise might lead to serious consequences. Previous examples have included posts that accidentally incorporated proprietary code or where the poster asking has reason to fear for their online safety. Having a posted site url come up in Google in NOT a serious consequence. In each case, use your best judgement or ask for a second opinion. If the final decision to to leave the post “as is”, use something like:
When a post is made and people contribute answers to an issue, that then becomes part of the community resource for others to benefit from. Deleting posts removes this added value. Forum topics will only be edited or deleted if they represent a valid legal, security, or safety concern.
We could ask how our reply could be a security concern (or any of the other issues listed there), but it seems the better issue to raise if there is so much concern about the security of the plugin that they would delete someone just correcting confusion over the issue, how can WordPress allow 10,000+ websites to remain vulnerable as they are currently are doing.
Not only did they delete our comment, but they also closed the topic:
Considering the plugin still hasn’t been restored to the Plugin Directory, this is still an open issue. The closing of thread also seems problematic considering what was the last reply before ours, which was also deleted. As can be seen in the copy of the thread from before we posted, previously the final reply on the thread was a question:
So, what’s happening? Is it going to be back or what?
What possibly could be the legitimate purpose of removing that?
If you were going to delete anything from that thread it seems what would be appropriate would the comment from the member of the Plugin Directory (who is also a moderator on the forum and the “WordPress.org Admin”) claiming this was “not a serious concern” and to “relax”. Based on the actions taken in thread that would seem to something people on the WordPress side of things don’t agree with, otherwise they wouldn’t be deleting replies and closing the topic.
Not only does this terrible moderation leave the public not knowing the true status of this particular plugin, but as long it continues it is going to mean that we are not going to return to notifying the Plugin Directory of publicly disclosed vulnerabilities in the current version of plugins, which has already meant that vulnerable plugins with 100,000s of active are still in the Plugin Directory. If even knowing that a plugin has a security risk is cause for deleting multiple thread replies, that seems to indicate that all of those vulnerable plugin installs would be a much bigger issue, but it is one that WordPress is unwilling to properly address either by fixing the forum moderation or by doing the work we have previously taken care of because of their unwillingness to make sure they did not include plugins known to be insecure.