WordPress Security Providers Delaying Vulnerability Disclosures Doesn’t Stop Hackers From Figuring Them Out
This week we have been covering a mess that started with the developers of the Freemius library not properly handling a security issue we reported to them last year. Instead of addressing the issue at the time, they put out a post criticizing and lying about what had gone on. They wrote this about us warning about the vulnerabilities after they had released an incomplete fix (without giving us a chance to review the changes first):
Unlike last time, we didn’t even try to ask the reporter to remove the article as we’ve learned it’s a waste of time and our request can only backfire on us. Instead, we politely tried to understand the reasoning behind the unexpected disclosure to assess if/how we could avoid it in the future.
Here’s their justification:
We noticed the fixes right away once plugin developers starting releasing updates. We are not the only ones that do that type of monitoring, so trying to cover up that you are making security fixes like this doesn’t work.
Obviously, we agree that once updates are released onto WordPress.org the code is publicly available. But, it’s very different from publicly handing out the ‘recipe’ of the security issues to potential attackers, and that’s the point we simply can’t agree on with the reporter.
The vulnerabilities that had been fixed were rather obvious if you look at the changes being made, something we had previously proved to Freemius three years before when they tried to cover up fixing a vulnerability already being exploited, but they just dug their heads further in the sand. They also were vulnerabilities that were highly unlikely to be exploited. Otherwise, they would almost certainly have been exploited before we warned Freemius about them.
Despite claiming that we were “publicly handing out the ‘recipe’ of the security issues”, we didn’t even provide proof of concepts for them.
The quote from us there was from a paragraph they quoted entirely except for the last sentence:
It also would put the discoverers at a disadvantage if they are allowed not allowed to warn their customers, but others could in that situation.
The problem of delaying disclosure while competitors warn about them ties in to something that also happened recently.
Recently Patchstack took credited for finding the security issue in Freemius. Today, they took credit for the discovery of security vulnerabilities in the plugin Ninja Forms (the developer of the plugin didn’t credit them, but did credit others for security changes in recent changelog entries, so who knows what is going on there). In a Bleeping Computer story about that, this was written:
Publicly reporting the above flaws was delayed by over three weeks to prevent drawing the attention of hackers to the flaws while allowing Ninja Form users to patch. However, there’s still a significant number who haven’t at this time.
Patchstack’s coverage contains detailed technical information about the three flaws, so exploiting them should be trivial for knowledgeable threat actors.
On one of our websites, we saw hackers probing for usage of the plugin on July 13, 24, 25, and 26. It seems likely that hackers already knew about the serious vulnerability that they might be expected to exploit. Those relying Patchstack’s data were left in unaware of it for weeks, while hackers likely were not. We say the hackers already likely knew, as we had figured out how the vulnerability could be exploited before July 13. If we could do that, it should be assumed that hackers could and likely did as well.
We warned our customers about the serious vulnerability that Patchstack mentioned on July 12 (we have now made that post publicly available). Part of the reason for figuring how a vulnerability would be exploited is to make sure it has been fully fixed. What we found at the time, was that the vulnerability had been incompletely fixed. Patchstack managed to miss that, which raises questions whether they really were the discoverer or not.
We warned the developer of the incomplete fix before we warned our customers, but it still hasn’t been addressed.
Even before July 12, we warning our customers the plugin was known to be vulnerable, since the developer still hasn’t fixed a vulnerability we warned them about in the June of last year. They recently told us they would be fixing that, but haven’t so far.
Plugin Security Scorecard Grade for Ninja Forms
Checked on May 15, 2025See issues causing the plugin to get less than A+ grade