20 Mar

WordPress Support Forum Moderator Jan Dembowski Falsely Claims That No One Figures Out What Versions of Plugins Are Vulnerable

When it comes to the mess that is the moderation of the WordPress Support Forum that has led to us full disclosing vulnerabilities until it is cleaned up,  one of the most problematic moderators is someone named Jan Dembowski who we frequently run across getting things incredibly wrong (in some cases taking different sides on issue in different instances and each time managing to be on the wrong side). So it wasn’t surprising to see them getting something wrong when it comes to someone looking for help related to the vulnerability in Easy WP SMTP that has been widely exploited. The person looking for help wrote this:


From which oldest version of EasySMTP the 0-day vulnerability is affected that is no patched with

Also I really hate that there is no dates on released version of EasySMTP, as we had worked with bunch of companies in 2016 when we used EasySMTP for them.

The response from Jan starts:

I’ve removed the tag “0-day” as that term is mistakenly used too often.

While the term is often misused (and probably more accurately abused) by companies like the one behind the Wordfence Security plugin, this is an instance where it would seem to be accurate as the discoverer of the vulnerability NinTechNet wrote this about it:

The vulnerability, found in version v1.3.9, has been exploited by hackers since at least March 15, and was caught by our Web Application Firewall for WordPress, NinjaFirewall (WP Edition).

The vulnerability was fixed on March 17.

A zero-day vulnerability is one that is being exploited before the developer knows about it, so unless the developer knew about it before March 15, this was a zero-day.

What Jan gets very wrong is this though:

No one is going to dive into the old code and confirm or test.

That is exactly what we do with every vulnerability we add to our data set (it isn’t like this person isn’t aware of us, but they don’t seem to pay much attention from what we have seen).

In this case though you don’t have to do much diving as the changelog for the version this was fixed in is:

Fixed potential vulnerability in import\export settings.

One of the changelog entries for the previous version is:

Added Export\Import settings functionality.

In actually dive in to the code you will find the same thing, this vulnerability was added in version 1.3.9 of the plugin.

The previous version was released on March 3, so it took hackers less than two weeks to find and exploit it.

There is another related vulnerability that existed in previous versions of the plugin though, so another Jan’s recommendations would seem like a good idea:

if you or anyone is using a version less than then assume you are vulnerable

But there is a problem with that as well,  as the current version of the plugin is also publicly known to be vulnerable, which one of the of the moderators of the Support Forum decided to hide from the developer when we tried to notify them of it as part of our full disclosure of it.

2 thoughts on “WordPress Support Forum Moderator Jan Dembowski Falsely Claims That No One Figures Out What Versions of Plugins Are Vulnerable

  1. I’d have to completely agree. Jan Dembowski recently has bullied WordPress.org account holders, locked user accounts for no reason other than him disagreeing with a review posted. This idiot has gone way overboard and should be removed from WordPress.org .. He has some serious mental issues going on by the way he is moderating the support forums.

  2. Jan Dembowski has been rude to me as well. Letting snarky comments from other members fly but locking my account and sending me a very passive aggressive and rude follow up. WordPress support has never been great, but it used to be at least somewhat friendly. I’m amazed that someone with such an obvious attitude problem has managed to get herself into such a position in as big a project as WordPress.

    it’s sad that once they got big they’ve become such an inhospitable and rude place. 🙁

Leave a Reply

Your email address will not be published. Required fields are marked *