One of the really unfortunate things about the security issues related to WordPress plugins is how often people on the WordPress side of things are actually actively making things worse. Just yesterday we ran into another example, which at best shows they are engage in misguided behavior and are unable to work effectively with others who are actually trying to improve security.
On Saturday a thread was started on the WordPress Support Forum with a claim that a vulnerability in the plugin WooCommerce Product Addons (N-Media WooCommerce PPOM) was being exploited:
I work at a hosting provider. This morning we had two sites hacked using the 14.0 version of this plugin. It appears they are taking advantage of a known XSS vulnerability in an older version of Plupload that your plugin is still using. See the CVE https://www.cvedetails.com/cve/CVE-2016-4566/
Until this is fixed, I would recommend uninstalling and deleting this plugin.
The developer then indicated that the vulnerability had been fixed. It hadn’t.
Yesterday we responded with this message:
Unless these were targeted attacks it would seem unlikely that vulnerability was the source of the hackings, but in any case the vulnerability still currently exists in the plugin as the issue is with the version of the file /js/plupload-2.1.2/js/Moxie.swf and the change made to the plugin didn’t impact that. You either need to remove the file or update it.
@pluginvulnerabilities and @nmedia, because this topic may be discussing an active vulnerability, I’m making it non-public.
Pluginvuln, please follow responsible reporting practices. You know better than to do such things publicly.
That was completely counterproductive. The problem here is that there is a vulnerability that needs to be fixed, not that it is being discussed. So the moderator’s action did nothing to fix this vulnerability and actually stopped other people from trying to work towards that.
The criticism against us is particularly ridiculous because the vulnerability was already publicly disclosed as being in the plugin for two days before we got involved. So we were not reporting a vulnerability, just explaining that it wasn’t fixed. While it seems unlikely it would be exploited in general, if it was, then hackers already know about it and again what is important is getting it fixed. Also,the moderators continue to not understand deleting something from the Support Forum doesn’t disappear it, the thread was already publicly archived and we already had put out a vulnerability details post discussing it.
We should also note that we actually have taken a reasonable disclosure approach to vulnerability disclosure, so if we had discovered this vulnerability we would have contacted the developer privately. As always the moderators just assume things, instead of thinking through whether they might not understand what is going on and being willing to raise concern in a constructive fashion.
It now has been a day and not surprisingly nothing has happened since the moderator shutdown the attempt to fix this and they didn’t make any attempt to actually work to get this fixed in another way.
This isn’t a one off issue, about three weeks ago we tried to let the developer of a plugin know that they had not actually removed unnecessary security code from their plugin, but necessary code, as they mentioned in a thread on the Support Forum. But the same moderator deleted that as well. Three weeks later the vulnerability still exists in the plugin, because again the moderator didn’t actually care about getting the vulnerability fixed, just covering things up.
If the moderator was willing to have a discussion we could have explained that what they are doing is counterproductive, but the moderators of the Support Forum have shown no willingness to do that. Due to that we are making a change that we will be announcing later today which will change how we handled disclosing vulnerabilities as it is clear that are more limited protest to get them to start acting appropriately hasn’t worked.
In the meantime the moderators continued interest in not fixing security vulnerabilities, but trying to cover them up is great reason to use our service, since we have been warning about both of these vulnerabilities before we even tried unsuccessfully to use the forum to help get them fixed.