Yesterday we noted how the security news outlet The Hacker News had seemingly made up a figure for the number of installs of the WordPress plugin Social Warfare that were still using an insecure version when running a story based on an unreliable source, so maybe we shouldn’t be surprised to run in to them running with inaccurate information again shortly after that (with the same author being behind both stories).
This time it involves an arbitrary file upload vulnerability in WooCommerce Checkout Manager we warned about on Tuesday after it was caught by our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Despite there being hackers probing for usage of the plugin since Wednesday, WordPress had taken no action until within the last hour, which probably isn’t surprising since one of the six people running the Plugin Directory (who is also in charge of the moderation of the WordPress Support Forum) has stated leaving plugins they know contain unfixed publicly disclosed vulnerabilities in the directory is “appropriate action“. You might think a story on that situation might bring up some of that, but The Hacker News story about the vulnerability is oddly silent on that.
Instead it contains strange, false claims. For example there is this claim:
Since at least past two years the team behind Plugin Vulnerabilities has deliberately been releasing details of newly discovered vulnerabilities directly on the WordPress Support forum, instead of reporting them to the respective plugin authors directly, violating the forum’s rules.
We have never done that and why would be posting something like that on a forum instead of directly on our website? It just doesn’t make sense.
In September we did change from a reasonable disclosure policy to a full disclosure policy as a protest of the continued inappropriate behavior of the moderators of the Support Forum. Before that we actually did contact developers directly, so the two years element of that claim makes no sense, but even after that we published our reports on vulnerabilities directly on our website.
It also claimed in the story that:
In response to this inappropriate behavior, the WordPress.org moderators eventually blacklisted Plugin Vulnerabilities from their official forum after multiple warnings and banning all their accounts.
However, this did not stop Plugin Vulnerabilities, who since then started disclosing details of new, unpatched WordPress plugin vulnerabilities on their own website, putting the whole ecosystem, websites and their users at risk.
They are mixing up the cause and effect. What they claim we did after we were banned, is what led to us being banned since they didn’t appreciate our protest of their inappropriate behavior. And again, we have always disclosed vulnerabilities we discover on our website, why would be doing otherwise?