As part of our new full disclosing vulnerabilities in WordPress plugins until the people on the WordPress side of things finally clean up the moderation of their Support Forum we disclosed a vulnerability in a plugin with 700,000+ active installs. We tried to notify the developer of the plugin through the Support Forum, but the moderators deleted that. If you are not familiar with their inappropriate behavior you would probably think they would have notified the developer instead, but they didn’t.

A thread was started less than two hours ago, where the developer was notified by someone not connected with the WordPress team of the issue:

Are you fixing this soon? just want to know if there is a deadline or something.

https://www.pluginvulnerabilities.com/2018/09/25/full-disclosure-of-vulnerability-in-wordpress-plugin-with-700000-active-installations/

Thank you in advance.

The developer responded within an hour:

Nobody contacted me regarding this vulnerability. Fixed version will be released in an hour.

Thank you.

It is incredible how terrible the people on the WordPress side things are, that they knew about this vulnerability and didn’t do that (while causing the situation in the first place with their previous behavior like that). It will be interesting to see if they feel the need to delete that thread as well (we archived it in case).