Yesterday we noted how a moderator of the WordPress Support Forum was getting in the way of people looking for help dealing with the exploitation of a fixed vulnerability in the plugin Simple 301 Redirects – Addon – Bulk Uploader. Today, when we went back to the topic that was the source of that post we found that many of replies on that topic, including almost of all the ones we had quoted, had been removed. In total, only 3 of the previous 11 replies remained. Some of those removed pointed out how what the moderator was doing was bad for the WordPress community. The moderators replies were also removed. You can see the replies at that time of previous post here and what is there at this moment here. That is in line with the kind inappropriate behavior by those moderators we have seen for years and had led to us starting a protest against it nearly a year ago.
You can get a better understanding of the mess that is moderation and related poor handling of the Plugin Directory from the message left earlier today by a moderator, Ipstenu (Mika Epstein), who also leads the six person team running the Plugin Directory (with our commentary inserted):
I’ve un-archived a number of posts.
If they actually unarchived posts then there must have been almost nothing left before that, since as we just mentioned only 3 replies still are there now.
It’s OKAY to ask for details on this situation. I understand why the forum team cleaned the posts up, but this is a case where it’s actually appropriate.
What was deleted is what this person is claiming is okay and it is still deleted, which calls in to question their honesty. Part of the problem here, and in general with the moderation, is that there is no indication given that something has been removed or who did it, so you can’t see the full scope of their inexplicable censorship.
Details on what this hack was and it’s impact have been published at https://blog.nintechnet.com/unauthenticated-option-changes-in-wordpress-simple-301-redirects-addon-bulk-uploader-plugin/
If someone else posted something like that the moderators would throw a fit (that unfortunately isn’t an exaggeration).
The Plugin Review Team RECOMMENDS but does not require developers to fully disclose the details on hacks and their fixes, in order to promote transparency with regards to open source development.
That is contrary to how the moderators of the Support Forum handle things and the person who is in basically in charge of them is also one of six member team running the Plugin Directory, which makes that claim ring hollow.
That said, we also REQUEST that if you find a NEW vulnerability that isn’t patched, you contact the plugin dev PRIVATELY (not disclosing the hack in public) and send them details. If they don’t reply, or you can’t figure out how to do that, email firstname.lastname@example.org and we can help 🙂
This person once got in the way of us trying to privately work with a developer to get a vulnerability likely already being exploited, leading to it being disclosed before it was fixed and leading to wider exploitation.
Responsible disclosure is nuanced and complex, we know. The intent here is very clearly people wanting to know what the hack was, how to know if they were impacted, and how to clean it up.
Once a vulnerability is being exploited it already is disclosed, so responsible disclosure isn’t even possible, so that isn’t relevant to situations where people are discussing being exploited if the vulnerability hasn’t been fixed. This vulnerability was actually already fixed before the discussion started and the “responsible” disclosure lead to the exploitation.
Which yes, the developer SHOULD be able to tell you.
If they should be, then this person should do something about the moderation or leave the team, because otherwise this also seem to be a dishonest claim.
My apologizes to everyone who had their replies moderated. We were a little over zealous, since we’ve had a run of people disclosing vulnerabilities in public without giving the developer a chance to fix it first.
The behavior is exactly in line with what have seen as long as we have been dealing with security issues with plugins, so it has nothing to do with anything that occurred recently.