07 May

WordPress Support Forum Moderators Really Don’t Understand What Disclosure of a Vulnerability Is

One of the strange issues we have seen for years when it comes to the moderators of the WordPress Support Forum is them not understanding at all what disclosing a vulnerability is. That has even occurred with the person that is in charge of the team running the Plugin Directory, who certainly should have understood what is and isn’t disclosure of a vulnerability since they deal with vulnerabilities on a regular basis. That continues to be a problem. The latest instance involved a review of a plugin we mentioned yesterday in the context of people failing to keep their plugins up to date, which would have prevented them from being hacked. One of the reviews we cited part of, reads in full:

This plugin left my company website vulnerable to an XSS attack on May 04, 2019 that caused visitors to be redirected to malicious spam websites. The issue was confirmed by multiple people, including WebARX Security. Excerpt from the WebARX writeup:

Unfortunately, the mentioned component doesn’t check if the user is logged in or have the privilege to update plugin settings. Another problem is that developers, once again rely on ‘admin_init’ event which fires on every page that is part of the admin interface. It won’t, however, check if the user is logged in or have administrative privileges.

The worst part, is that the developer completely ignored the issue when it was brought to their attention a month ago, and it took getting temporarily banned from the WordPress repository for them to finally fix it. Will be migrating my site off of this plugin, as I can’t trust a plugin developer that doesn’t take major security vulnerabilities seriously.

That has now been deleted, you can see the copy we archived here.

Through the same alert that notified us discussions of that plugin being exploited, we also got alerted of the message left when it was deleted. The reason that it was removed by one of the moderators of the forum, Andrew Nevins, doesn’t make sense:

@programmerchad, Please do not disclose vulnerabilities like this and instead follow our responsible disclosure guidelines here: https://developer.wordpress.org/plugins/wordpress-org/plugin-security/reporting-plugin-security-issues/

I have flagged your account temporarily and your posts will need to be reviewed by the moderation team before being made public.

Clearly that person wasn’t disclosing the vulnerability since it had already been disclosed by us and WebARX, and their review even was citing WebARX’s disclosure. Following the link there takes you to a page that isn’t relevant since the vulnerability was already fixed, as was mentioned in the review.

It isn’t like this is a one off issue with the moderator getting something really wrong, just last week we happened to run across another instance, so it seems likely this is a common issue.

These continued problems are part of the reason we started our protest in response to the moderators continued inappropriate behavior.