At the end of last year, one of the team reps for the team running the WordPress plugin directory provided an assessment on what the team had been up to. It incredulously credited one past member of the team for a “magnificent legacy” of a scanner tool, despite it being no secret that person had blocked efforts for years to improve the team’s scanner tool (and more generally blocked efforts to address the problems they were causing). Beyond that, it made repeated claims about the team’s handling of security, including this in the first paragraph:

Throughout this time, we remained focused on our primary goals: enhancing security, improving the review process, and fostering community engagement.

That stands in stark contrast to what we reported yesterday. Two new plugin from big WordPress plugin developers were allowed in the directory despite both having the same easy to spot security issue. That issue being a failure to include a capability check on AJAX accessible functions registered for only those logged in to WordPress.

One of the developers, Awesome Motive, stands out there for two reasons. One being that it has as its chief security officer (CSO) the Security Review on the review team. The other being that the developer was in the news last month for a vulnerability caused in part because they failed to implement that security check in one of their plugins. They continued to have that problem in the same plugin, as their CSO isn’t apparently concerned about the companies or is incapable of handling basic security.

Problems like this could easily be addressed if the team was willing to work with those in the WordPress security industry interested in addressing problems like this. Unfortunately, the last time we tried to broach that with them, the response was hostile and obviously and ridiculously dishonest.