22 Apr

WordPress Believes That Leaving Millions Of Installs of Plugins Vulnerable To Publicly Known Vulnerabilities Is “Appropriate Action”

If you want to better understand what is amiss with the moderators of the WordPress Support Forum, which seems to go a long way to explain the inappropriate behavior that led to us starting to full disclose vulnerabilities in plugins and only notify the developer of the plugin about the disclosures through the forum until that is cleaned up, looking at their response to that protest seems instructive.

Back in December we got contacted by one of the moderators on Twitter and they started the conversation with:

Much of that doesn’t make sense and seems to come from someone who somehow totally ignored why we are doing this, despite each of the posts letting the developer of the plugin know about the disclosure, which the moderators then remove, explaining that. The moderators don’t seem to pay much attention to what anyone else is actually saying to them, which leads to odd attempts at conversations. Part of that though doesn’t involve us and what they are saying indicates something is going very wrong:

We remove your post and notify the plugins team. The plugins team acts on your report.

Somewhere in that process something is amiss as we explained in a response:

You might think that would lead to that person to look into the situation and figuring out what is going wrong and trying to fix that (or realizing that getting the moderation cleaned up would actually be a good idea since that would stop the full disclosures), but instead they just ignored it:

Even today the plugin referenced there is still in the Plugin Directory and still contains the vulnerability. How does that happen?

Just days ago we had an interaction with another one of the moderators, Samuel “Otto” Wood. He is not only a moderator, but also in charge of them (he apparently chooses most of the moderators and is also the person you are supposed to go to if you have a problem with the moderators). In addition to that he is one of the six members of the team running the Plugin Directory, so you would think that he would know what is going on with both the moderation of those posts and what the Plugin Directory team is doing in response to them. But in regards to our messages letting the developers of plugins know that we have full disclosed vulnerabilities he wrote this:

That attempt is instantly blocked, and the moderators forward it to the plugins team, where we take appropriate action.

We then responded to that:

Except that you are often not doing that, considering that there are currently plugins with millions of installs that have not been removed from the Plugin Directory and haven’t been fixed despite you knowing they contain vulnerabilities because of our messages. That includes one that we specifically mentioned to a moderator back in December was already in all likelihood being exploited when he also made the claim you are now making about taking appropriate action. With another plugin with 400,000+ installs, where we have seen hackers probing for usage of it, it has now been over two weeks without the vulnerability being fixed or the plugin being removed.

To be specific, there are as of today, 125 plugins with at least 2.2+ million active installations, which despite having unfixed vulnerabilities we full disclosed, still remain in the Plugin Directory. We don’t know how you could think that appropriate action has taken place when that is the case.

His follow up response to that doesn’t even address what we brought up:

the fact that you don’t understand what “appropriate action” is, well, that is kind of the whole problem here. Maybe try listening to what literally everybody else is telling you, instead of trying to attack us yet again.

It seems he is referring to our protest there (and apparently not listening to anyone that actually agrees with us, while claiming we are the ones not listening), ignoring what we actually said about the problem with those plugins remaining vulnerable and remaining in the Plugin Directory. That seems to be constant issue with that guy and it makes trying to have a conversation, much less work with him to fix problems, impossible. Seeing someone pointing out a problem as an attack also seems like it is an issue.

In the same message that happens again as he wrote this:

Also, why do you continue to use the phrase “clean up the moderation”? That phrase has no meaning. Nothing is going to happen with the moderation. The moderators have moderated correctly, by blocking your posts. Repeatedly. For many months. They’re doing their jobs. You’re the problem, not them.

As we mentioned before, he somehow keeps thinking that our protest is in response to the moderators’ response to our protest, which continues to not be based in reality or make a shred of sense. We keep trying to explain to him that isn’t right, but he just constantly barrels ahead in saying something that isn’t true.

Is there no one above this guy in the chain of command of WordPress who can see that there is something very wrong with him (just his belief in “magic wizards” should raise some serious red flags) and can take appropriate action with him so that appropriate action can be taken with the other issues he is helping to cause?