26 Sep

WordPress Team Has Time to Disable Our Account, Not Time to Make Sure 700,000+ Websites Don’t Remain Vulnerable

So yesterday we did our first full disclosures of WordPress plugin vulnerabilities due to the continuing inappropriate handling of the moderation of the WordPress Support Forum, as part of that we are only notifying the developers of plugins of these full disclosures through the WordPress Support Forum. If the moderators delete that then the developer wouldn’t get notified (unless the moderators do that, which they don’t look to have in the past based on what we have seen), so that would not be a good idea, so not surprisingly considering their past behavior that was exactly what they did. But they took it further by disabling our account as well:

That is just the sort of shortsighted thing they would do without bothering to think things through. With that existing account they had set it so that all our messages got held for moderation. So they could have easily made sure these threads never got seen publicly, which we were not going to try to get around since the point only was to make them see their continued inappropriate behavior has a cost. But with that account disabled we needed to start a new account, for which the new threads we start don’t get held for moderation. So for the two vulnerabilities we disclosed today the threads are currently visible.

What is more important is that the vulnerability in the plugin with 700,000+ active installs that we disclosed yesterday is still in the plugin today and people can still install a plugin that WordPress knows isn’t secure. That is also still the case with another vulnerability we recently discussed that was disclosed on the Support Forum by someone else on Saturday, which they claimed (probably incorrectly) was already being exploited.

Update (9/27/18): Incredibly the moderators didn’t bother to notify the developer of the issue. Once the developer got notified, they quickly took action. It really speaks to the moderators inability to act appropriately that they would choose to take action against us and then not doing anything else.

We would ask that the moderators to please re-enabled our existing account, so that we can go back to using that and you don’t have to play a game of cat and mouse with us on this. It would be better for them to just clean up their inappropriate behavior right away since that is causing much more damage than letting our messages through, but that seems unlikely happen anytime soon (but we can hope). Cleaning up their act would also be best since with the type of vulnerability we full disclosed in two plugins today, which is likely to be exploited, things can be very different. Shortly before we started the full disclosure our private notification of another vulnerability of that lead to it being fixed in less than 24 hours (and just days after it was introduced in to the plugin).