As part of the whole situation with Matt Mullenweg and WP Engine, there has been a reoccurring issue. His odd and sometimes possibly illegal interactions with the CEO of WP Engine, Heather Brunner. There was the incident documented in WP Engine’s lawsuit where he sent her a text offering her a job and threatening to tell the press about claimed interactions they had previously had if she didn’t accept the job. In a follow up legal filing, there was this odd statement, ‘Recently, Automattic began sending purported security alerts about WPE’s “ACF” plugin to WPE’s CEO, in another act of harassment.’ Why would Automattic send the CEO of a company security alerts? That is not something we have ever heard of happening and it isn’t something we have ever done in reporting security issues over the years, including to Automattic. In a related declaration from WP Engine’s CEO, she says the same:

One of those attacks occurred on October 4, 2024, when Automattic sent WPE a security alert about ACF, a plugin that WPE develops and contributes for use by the open source community. A true and correct copy of this email is attached as Exhibit H. Both Mr. Mullenweg and myself were cc’d on the email, which is without precedent. As the CEO, I never get copied on such routine security patch emails for minor security issues.

A copy of the email was also provided in the legal filings. Beyond cc’ing the CEO of WP Engine there are other things that stand out to us with that.

One is that this isn’t really a vulnerability for WordPress. Automattic writes this:

The vulnerability allows administrators to run arbitrary PHP functions, which we consider to be a medium level of risk due to it being exploitable in multisite configurations.

Users with the Administrator role are allowed to run arbitrary PHP functions, so that wouldn’t be a vulnerability. It could be a vulnerability with WordPress multisite, but they don’t mention actually having tested it in that environment or clearly stated that it isn’t otherwise an issue.

The email also had this section about disclosure:

We kindly request your acknowledgment of the identified vulnerability as outlined in our Responsible Vulnerability Disclosure process available at https://wpscan.com/vulnerability-disclosure-policy. Please note the disclosure policy has a 30 day timeline before public disclosure. Please also share an estimated timeline for when the fix might be deployed. If we don’t receive a response from you within the next 5 business days, we may need to reach out to the Marketplace where your extension is published for further assistance in fixing the issues we have found. Please let us know if you have any questions or if you would like us to verify the fix before releasing a new version.

There is weird wording about an extension and a Marketplace. That seems to be referring to the WordPress Plugin Directory, which we have never heard of referred as a “Marketplace.” Also, for some reason they are citing a disclosure of policy of WPScan, which is an Automattic subsidiary, that is a repository for data about vulnerabilities (not an accurate one).

The day after that message was sent, Automattic sent out a tweet, now deleted, mentioning the vulnerability:

Automattic’s security team has responsibly disclosed a vulnerability in @wp_acf to @wpengine. As is standard, they have 30 days to issue a fix before public disclosure. We have reserved this CVE for the issue: https://www.cve.org/CVERecord?id=CVE-2024-9529

That isn’t how responsible disclosure works.

The same day someone who has been on the WordPress Security Team and maybe currently is the lead wrote this:

Automattic has responsibly disclosed a vulnerability in ACF but breached the @Intigriti Code of Conduct by irresponsibly announcing it publicly. I am going to work my damned hardest to ensure that the fix gets shipped to dotorg if it affects the free version of ACF.

The reference to the Intigriti Code of Conduct appears to be referencing a third-party bug bounty program that WP Engine points people to report security issues to, but they were not involved in this. Instead, the violation was of Automattic’s own policy.

Also worth noting that Automattic wanted public credit for this:

When you release a fix for this security issue, please credit the “Automattic Security Team” for finding and disclosing it responsibly. CVE-2024-9529 has been reserved for this issue.

Including credit for “disclosing it responsibly.”