As we mentioned earlier this week, WordPress keeps making things worse when it comes to security, as they decided to compound other problems by removing our plugins from the Plugin Directory. Which means, for example, that people can’t get warned about unfixed vulnerable plugins that are being exploited as WordPress refuses to fix or warn people about those very vulnerabilities (which makes sense to them and as far as we can tell no one else). Why do this? Well it might be because they really can’t even grasp that people actually don’t agree with what they are doing in the forum (which isn’t just restricted to how they handle security related topics) and they have to create an alternate explanation that makes them feel better (we have seen that kind of behavior from them going back years, which we should probably discuss in a separate post). We say that based on this claim from the developer of one of the plugins we disclosed a vulnerability in, from the day after the plugins were removed:
Basically, we weren’t escaping/sanitizing some attributes and random security audit person trying to promote their blog and plugin decided to submit a report as they should. This led to the WordPress admins immediately taking the plugin down temporarily in case it was being exploited. They then notified us of this happening. This has made us thoroughly audit EVERY line of code in our plugin.
There are a so many issues with that despite only being a few sentences, but most importantly we didn’t change our disclosure to promote our blog or plugin. We clearly explained why we started doing the full disclosures and it has nothing to do with those things.
It doesn’t make sense that we would do this to promote our plugins since it isn’t like any of our plugins are all that relevant to what is going, as for example the companion plugin for this service only provides free data on vulnerabilities that look to be being exploited, so it would not be relevant to these full disclosures. If we had started including the data on the vulnerabilities we full disclosed then that would make sense, but we didn’t.
It also doesn’t make sense that we would be using this to promote our blog, since if we were trying to use the discovery of vulnerabilities to promote our blog, it would make a lot more sense to ask developers to link to our reports in their changelogs than to do what we are doing. We have gotten quite a bit of traffic, for example, from the link to our disclosure of a vulnerability in Shortcodes Ultimate in its changelog (which we didn’t ask for) and almost none from the disclosures we posted on the Support Forum (there wouldn’t be any if the moderators hadn’t counter-productively disabled our main account). It seems pretty clear that other vulnerability discoverers request mentions in the changelogs (as can be seen by them being edited to add credits after the fact), something we have never done. Yet somehow despite our lack of interest in self promotion, the idea that we are focused on that appears to be being used to ignore a real issue.
If the people on the WordPress side of things believe that this is about promoting a plugin or blog, they really need to step down from their positions and get some help, because that is nuts. In the meantime they are harming a lot of people by not only by removing our plugins or due them causing the full disclosures, but not just cleaning up their act as that has been harmful to the rest of the community for far too long and needs to change. Once they do that we can stop with the full disclosures, it really is that simple. If they don’t believe us, there is an easy way to test this out, stop acting inappropriately and see if we continued with the full disclosures. Considering that we spent years with a reasonable disclosure policy, it should be obvious what would happen, but it appears like that fact alone didn’t make that obvious in the first place.