What has long seem to us to be an obvious issue with the WordPress Plugin Directory is a lack of any mention of how to report security issues in plugins or a method to do that reporting, on the pages for plugins. For the people on the WordPress side of things that doesn’t seem to be obvious even though moderators repeatedly tell people reporting those through the forum that they shouldn’t be doing that (a lack of ability to conceive that what they are doing isn’t working seems endemic among the people on the WordPress team and has lead to serious issues, like websites being unnecessarily hacked). Interestingly after running across a vulnerable WordPress theme, Hueman, a couple of weeks ago we noticed that the Theme Directory actually has that sort of thing.
On the theme’s main page is button to “Report this theme” on right hand sidebar:
Clicking that brings up this page:
Two weeks after we reported this theme for having that security vulnerability, the theme is still available and a new version was released on the 25th, which still contains the vulnerability. So it appears that appropriate action has not been taken in response to that report, which is in line with the poor handling of the security of plugins in the Plugin Directory by the WordPress team, but all the same, it is disappointing.