17 Oct

Making Sense of WordPress’ Inability To Be Consistent When it Comes To Warning About Insecure Plugins

Last week we discussed the hiding of pertinent information when WordPress plugins are closed on the Plugin Directory for “security issues” in relation to a plugin named Testimonial Slider. Since that post the support topic that first drew us to that has gotten a response from one of the six member of the team running the Plugin Directory (that person it turns out is also in control of the moderation of the Support Forum):

Does it matter? It is insecure, and not being updated any longer.

Don’t use it. Remove it and find a new plugin.

The person who initially asked for information responded thusly:

Hi Otto,

“Insecure” covers a multitude of possibilities, ranging from the very hard to trigger and very limited in impact when triggered, up to the easy to trigger and disastrous in impact. Time is a limited resource, and people like to prioritise their time based on the most pressing problems. Having no information upon whether a problem is pressing or not is very unhelpful to the operators of the 10,000+ active sites that this is on, who, in the absence of any information, are forced to assume the worst.

I’m also a plugin developer, not a simple end-user. If a problem is an easy one-line fix, then it’s easier for me to make the fix than to research migration paths and move to a different plugin. Again, not having that information is frustrating and leads to unnecessary duplication of work.

In the case of this particular plugin, I’ve audited the code. Users are susceptible to targeted persistent XSS attacks. Googling shows that others have also done so and come to the same conclusion.


Which seems reasonable, especially considering the reason it was removed was actually publicly disclosed back in June. It also worth noting that in the real world moving to another plugin after one is removed can actually make websites less secure.

What makes that response from the member of the Plugin Directory team seem so odd is that at the same time they are saying that you shouldn’t use it and should remove it, if you had the plugin installed on a website while it was removed you were not given that type of warning in WordPress or any indication that it has been closed. That isn’t because it has never occurred to anyone that should be done, we have been trying to get WordPress to do that for years, but they have claimed that warning people about unfixed vulnerabilities is a bad idea. When people once tried to discuss that issue that discussion was shutdown by one of the moderators as “non-productive”.

Making the whole situation even odder just yesterday we discussed another one of the moderators blocking any discussion of why another plugin was closed.

We can’t make sense of what is going on with the moderators when it comes to this sort of thing and  seems maybe they can’t either. By shutting down the possibility of conversations it doesn’t really have a change to be resolved either. That is exactly the kind of problem that lead us to full disclosing vulnerabilities in protest until WordPress gets that type of inappropriate behavior by the moderators cleaned up.

The situation with Testimonial Slider though gives another reason why you should be able to discuss this type of situation, as explained by the latest comment in that topic:

I’m marking my own thread as closed now, since I took over maintainership of the plugin and cleaned it up so that it now has no known vulnerabilities. (Users were exposed to various things of this sort: http://vinnievanhoecke.be/blog/1530144000 ).


The plugin is now available again, which would be the community working in a positive way, something the moderators seems to be opposed to far too often.

Others Are Seeing the Problems

Looking at what that moderator recently has been up to is a good reminder that we are not alone is seeing problem with how things are being handled with the Support Forum. Here is a recent topic where a plugin developer was pointing out problems with how things are being handled by the moderators.

One of plugin developer’s points is something we have brought up before and never gotten a response to:

Secondly, when someone disagrees with you, please do not point the user to contact them via private channels. On one hand you want everything to be public, but on the other, you want to keep disagreements with the moderators on the hush hush. @clorith said “We have no manner of direct communication on the forums, and rightfully so.” yet @jdembowski tells me “If you or anyone have any complaints about any moderator reacting to your behavior then please feel free to escalate to otto[at]wordpress.org as he moderates the moderators.

Another frequent issue was brought up:

Thirdly, do not lock topics in order to get in the last word. @clorith could have easily contacted me directly, or opened a separate topic to resolve our disagreements. There was no reason for him to lock the topic where the original poster is now unable to get any support.

Just locking topics though is not the worst of it as we have seen plenty of situations where moderators will delete topics or even stealth edit things written by others, that includes situation where the moderator that did that seem to have been a participant in the conversation before taking action as a moderator, which seems like it would usually be quite inappropriate.

If you want to see the general incoherent view of things by the person that is supposed to be in charge of the moderators you have the strange dichotomy where they had this response to the plugin developer having simply stated “At this point I’m not sure I can do much until someone gives me temporary access to their site, so I can test the problem for myself.”:

The mod had every right and reason to ban your account and kick you off the forums. He didn’t, he gave you a warning.

That is what he said is supposed to be acceptable for handling an issue with the developer of plugin on the forum dedicated for their plugin on wordpress.org, but it gets worse as he also wrote this:

If you feel “shamed” then maybe you should take that as a sign that you need better contact mechanisms. There is nothing wrong with putting an email address in your plugin and asking people to email you for help.

We would love hear the pretzel logic where somehow what the person said is wrong, but it is okay to point people to their email address where someone could get information they don’t really need and do it without anyone else being able  to see something inappropriate is going on.

That also clashes entirely with what the moderator that the plugin developer originally dealt with had said to them, which would apply equally if someone ask for the information on the forum or through email:

Now for the why: The internet is a wonderful place full of very nice people and a few very bad ones. I’m sure everyone here is very nice however, by giving some ones keys to your house you are trusting they wont steal anything. Likewise the person who takes the keys is now responsible for the house FOREVER.

If something was to go wrong, then you the author may well legally become liable for damages, which they would not normally have been as their software is provided without warranty.

It doesn’t make sense that providing someone your keys makes them “responsible for the house FOREVER”, but that moderator, Jan Dembowski, frequently doesn’t make a lot of sense (which seems like a good reason they shouldn’t be a moderator).

If you want some more of the logic of the moderator in charge of the other moderators, take this:

The moderators exist to only to make the community a better place. They don’t have any evil in their hearts. I do, but then I made most of them moderators because they don’t. See, I’d be much worse at that job.

Somehow that person doesn’t see that maybe they shouldn’t be involved in something they admit they can’t handle. They also are in fact a moderator, which makes the whole thing make even less sense.

It is worth noting that the moderators themselves break the rules of the forum repeatedly and yet if you bring that up, that gets deleted, instead of something being done about their breaking of the rules. That doesn’t come across as trying to make the community a better place, but doing the opposite.

Having that person selecting the moderators also makes having them supposed to be in charge of handling problems with the moderators even worse than just themselves being a moderator as well, as they are less likely to take actions against the moderators since that would look poorly on them as they made them moderators in the first place.

Leave a Reply

Your email address will not be published. Required fields are marked *