When vulnerabilities in WordPress plugins get exploited a lot of those impacted don’t have a good understanding of what is going on. One example we have seen frequently with recent instances of that is that people get confused in to believing that the version that fixes the vulnerability instead contains malicious code that is causing the result of their website already having been hacked. That seems in part because they don’t understand that the new version doesn’t undo what the hackers have already accomplished. The best approach for people in that situation would be to hire a professionals like us to clean the website, since we can help to explain what is actually going on and make sure the issue has been fully resolved. The next best would be for people to discuss it on the support forum for the plugin, but as has happened with the plugin Simple 301 Redirects – Addon – Bulk Uploader that runs in to the problematic moderators of the WordPress Support Forum.
In a recent topic for the plugin someone asked a reasonable set of questions:
Can we get more information? What was the vulnerability? What did they have access to? Should db passwords be updated on all sites that were running this?
The response from a moderator, Andrew Nevins, was this:
No you may not discuss vulnerabilities here.
That makes no sense. Not only do hackers already clearly know all the details, the way the hackers are exploiting this comes from directly from the discoverer of the vulnerabilities public post on the vulnerability from Saturday. As the post we wrote detailing the vulnerability from last Monday before they fully disclosed the vulnerability shows, even without it, it was possible to figure out how to exploit in a more serious way than those hackers are doing.
The person that posted the questions followed up this way:
@anevins How are we supposed to know what information was at risk if we’re not told? Knowing this information is important so that we can contact our customers, explain the situation, explain what information was compromised, and take action to permanently resolve it for them.
The response from the moderator doesn’t really address that:
Your customers aren’t technical and do not need to know the fidelity of a vulnerability. You do. You can contact the author directly if you need to discuss that – but do not open those discussions here on WordPress.org.
Among other issues, it is really inefficient for the developer to be providing the same information over and over, instead of just providing it publicly where people are already looking, especially when it doesn’t cause any harm since it isn’t going to help any hackers. The original person we quoted said much the same thing:
OK. I find this to be a reckless practice – keeping important information away from the very people who NEED IT to take appropriate action to protect themselves.
I wasn’t asking for step by step instructions to replicate, just a description of what was compromised and what action should be taken to resolve. This is information that should be communicated to every single person who has ever used this plugin, WITHOUT needing to ask for it.
Someone else responded also explaining why this is problematic:
While I understand the reasons for the rule, I also think it’s problematic. I need to be able to tell my supervisors what happened, how it happened, and what was done to fix the problem. It’s a shame we can’t discuss these details here.
As the follow up from the original person gets to, this is a negative for the usage of WordPress, which seems to be what is the main focus of the people in charge of WordPress these days:
Agreed. Lack of communication and accountability in the plugin space makes plugins essentially unusable for business applications.
We tend to stick to 3-4 we’ve trusted over the years for this reason – but it seems even those aren’t worth trusting. And when they fail, silence.
Worth noting is that with our service we are always available to provide our customers just the kind of information those individuals are looking for vulnerabilities in the plugins they use. Though in this situation we had already warned our customers that there was a high likelihood of the vulnerability being exploited a week ago, before there even was a new version to update to.