17 May

WordPress Support Forum Moderator Jan Dembowski Gets in the Way of People Dealing With Hacks Due to WP Live Chat Support

On Wednesday Sucuri disclosed a settings change vulnerability that leads to a persistent cross-site scripting (XSS) they had discovered in the WordPress plugin WP Live Chat Support after it was partially fixed earlier that day. That same day we warned our customers about that vulnerability. As we noted yesterday morning when disclosing another vulnerability in the plugin, the vulnerabilities they discovered were likely to be exploited soon. Yesterday we had what looked to be a hacker probing for that plugin on our website (and probing for several other plugins), so we expected that it wouldn’t be long until the public reports of it being exploited would crop up.

As of few hours ago a topic on the WordPress Support Forum started up with people discussing that they had been hacked and trying to understand what was going on. Like clockwork the moderators of the Support Forum started causing problems. Numerous replies have been deleted, many of them without any apparent reason, and then the topic was closed. One of the moderators we have frequently seen causing problems (and someone that we are not the only ones to believe they have serious issues, which should probably preclude them from being in that role), explained the closure this way:

I’ve closed this topic and have temporarily flagged the accounts that posted malware samples. Those and other replies have been archived.

Update the plugin and do not post malware samples again. That’s not for these forums and gets removed when found.

We don’t know what the issue with malware samples would be, beyond incorrectly setting off anti-virus software, but many of the replies deleted did not included that and it would have been easy enough to remove the malware samples without having to even delete those replies included them or close the topic. This isn’t the first time recently we have seen a moderator treat deleting replies not even at issue as being a matter of course.

By closing the topic no one can try to explain to that their actions there are out of line with a reasonable response and that people posting malware samples probably had no idea there was an issue with that (and there shouldn’t be). Expecting people to be aware of things they would not reasonable be aware of is common issue with those moderators.

On the WordPress side of things it seems like the situation with the hackings might be one where they should have forced out the update of the plugin, considering that it was completely foreseeable that this would be exploited, but that is exactly the kind of thing they seem to be unable to consider that their current handling of is providing a less than ideal result (we have tried bringing that up with them, without success). In the meantime keeping your plugins up to date at all times is likely going to provide you better security than any security service, though our service can provide you additional security when vulnerabilities are not updated in a timely manner.