Automattic Employee Introduced Serious Exploitable Vulnerability Into WordPress’ Own Plugin
As detailed in a more technical post, proactive monitoring we do caught a serious vulnerability of a type highly likely to be exploited being introduced in to a WordPress plugin this week. By the install count of the plugin, this wouldn’t be all that notable, as the plugin only has 200+ installs. But the plugin, Create Block Theme, comes directly from WordPress:
Several more things stand out with the situation.
First, the plugin provides no contact mechanism for getting in touch with the developers of the plugin, to, say, report a vulnerability in it. The author link simply redirects to the homepage of the WordPress website.
The author of the most recent Subversion repository submissions for the plugin appears to not be a human, as it is listed as ““. One of the submissions prior to those has the log message “Remove references to Automattic and Blockbase”. The changes made in that include changing a link to a GitHub project from the account of Automattic to WordPress. Looking at the commits to that project, we found that the person who introduced the vulnerability is an employee of Automattic.
Automattic, is the for profit company run by the head of WordPress, Matt Mullenweg. That company sells various security solutions, including the Jetpack security plugin and WPScan, which markets itself as:
Be the first to know about vulnerabilities affecting your WordPress installation, plugins, and themes.
Despite that claim, they are not warning about this vulnerability, much less have they detected it:
It seems problematic that Automattic can release a plugin under the banner of WordPress without disclosure who it actually is coming from. Even more so when they are selling security solutions for a security problem they are helping to create. On top of that, two of the four members of the team that police WordPress’ plugin directory work directly for Automatitic head, Matt Mullenweg.
The most concerning element of this, though, is that the code is shockingly insecure coming from WordPress and Automattic. Multiple basic security measures are missing. Any of which would have restricted the ability for this to be exploited. You would think there would be some sort of security check before releasing updates for a plugin ostensibly coming directly from WordPress, but that seems highly unlikely to have occurred here.
Wow, so much ad hominem. All the bugs are introduced by some employees or human beings for god sake. I am sure who ever wrote this piece works at some top notch tech company like google and not a looser writer from Nigeria writing shite articles for $10 a pop.
You should look up what ad hominem means, because you don’t appear to know what it means and it doesn’t relate to what we wrote. It does relate to what you wrote, though.
It wasn’t a bug; it is a very serious vulnerability, caused by multiple failures, by multiple parties.
Also, the casual racism against Nigerians isn’t okay. (We are based in Colorado and are a security company.)