A week ago we posted on our finding fairly stunning examples of poor security in WordPress. Those examples suggest that WordPress hasn’t had a comprehensive security review since at least 2009. The security page for WordPress would seem to say that is something that the “WordPress Security Team” should be addressing:

The WordPress Security Team works to identify and resolve security issues across the WordPress core software, harden the software against threats such as the OWASP Top Ten, and provide guidance across the ecosystem.

But that team appears to not exist. As an example of the evidence that it doesn’t exist, the page listing the Team Reps for the various WordPress teams has no listing for a security team. Similarly, the homepage of make.wordpress.org lists 23 teams, including at least one that appears inactive, but there is no security team. We looked more into the mystery of the WordPress security team or teams and what the “WordPress security team” really was in November

While the team doesn’t appear to exist, there is someone that is mentioned in the media as being the “WordPress core security team lead.” Though, the only place on the WordPress website where they are referenced as holding that position in their own user profile. That person being John Blackbourn and, according to the profile page, “Human Made sponsors” him “to contribute 16 hours per week to the Core team.” Notably, he doesn’t say they sponsor him for the Security Team despite having a contribution badge for a “Security Team.”

Assuming he really is the head of what amounts to a WordPress security team, he pretty obviously shouldn’t be, as he isn’t responsibly handling the reporting of possible vulnerabilities in his own plugins. Looking at his plugin’s on the WordPress Plugin Directory there is a FAQ “How can I report a security bug?” with this answer:

You can report security bugs through the official Query Monitor Vulnerability Disclosure Program on Patchstack. The Patchstack team helps validate, triage, and handle any security vulnerabilities.

There are a multitude of issues with that. Some of them we have touched on with WordPress’ own problematic handling of reporting security issues. There are many security issues you can’t report through such programs:

The security issues we were reporting to them run afoul of the first bullet point, “Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other vulnerabilities to achieve a higher score.”, and the last bullet point, “Theoretical vulnerabilities where you can’t demonstrate a significant security impact with a PoC.”

And there are general problems with handling reporting that way:

In general, bug bounty programs are not an acceptable alternative to having a proper process to report security issues. That is because of limits on what can be reported, as well as other issues. Another one being legal requirements of those programs that may conflict with security providers’ legal or ethical obligations that they have to their customers.

A quick check of his plugins identified a security bug that exists in one with 300,000+ installs, which can’t be reported through the program he is telling people to report security bugs trough.

Reporting issues to Patchstack also introduces other serious issues, which have repeatedly led to vulnerabilities not being fixed in a timely manner or at all.

Someone running a security team should be aware of how wholly inappropriate what he is doing there is. That he is doing that helps to explain how the WordPress software is so insecure.

WordPress badly needs to get a security team and one run by people that actually have expertise and experience to get WordPress secured.

Human Made’s role in leaving WordPress insecure while selling security services is something we will cover in a follow up post.