Matt Mullenweg’s Legal Filing Suggests “WordPress security team” That Took Over ACF Is Really the Automattic Security Team
We have been covering a mystery surrounding the takeover of WP Engine’s Advance Custom Fields (ACF) on the WordPress Plugin Directory, who was behind in the takeover. When Matt Mullenweg announced the takeover, he said he was doing “[o]n behalf of the WordPress security team.” Yet an Automattic employee not involved in any WordPress security team publicly claimed they were aware of this ahead of time. We have also received information suggested that it was more widely known about in Automattic. Someone saying they were a member of the WordPress Security Team claimed they were not aware of this. What is going on with the security team of WordPress is largely a mystery, with it being unclear if it is named the WordPress Security Team or the WordPress Core Security Team. Or possibly there is more than one team. New legal filings in WP Engine’s case against Automattic and Matt Mullenweg suggest that the takeover wasn’t actually done by a security team in WordPress.
In a filing opposing WP Engine’s motion of preliminary injunctions, the lawyers for Automattic and Matt Mullenweg explain the take over this way:
In implementing that patch and distinguishing the resultant plugin from ACF—which was still being offered directly through WP Engine—the WordPress security team forked that plugin, and named that fork SCF. Id. ¶ 46. Forking—where a developer creates a separate and independently developed version of an existing open-source project—is a common practice in the open-source software community and is how the WordPress software originated. Id. ¶ 47
That in turn, cites paragraphs 46 and 47 of a declaration from Matt Mullenweg. Like the other legal filing, paragraph 46 of that refers to the takeover as being done the by “WordPress security team:”
In implementing that patch and distinguishing the resultant plugin from ACF, which was still being offered directly through WPE, the WordPress security team forked that plugin, creating a new version. The WordPress security team named that fork Secure Custom Fields (“SCF”).
Going back to the filing, the first mention of the “WordPress security team” is this:
To guard against any such threat, the WordPress security team undertook a security review of ACF. Id. ¶ 44.
Looking at the referenced paragraph 44 of Matt Mulleneg’s declaration it says:
To guard against any such threat, the WordPress security team undertook a security review of ACF. That review revealed the existence of a security vulnerability in the ACF software, which the WordPress security team promptly disclosed to WPE in accordance with the principles of responsible disclosure.
That is the first reference to the “WordPress security team” in that. His declaration ends with him declaring that under the penalty of perjury that what he said was true:
I declare under penalty of perjury under the laws of the United States of America and the State of California that the foregoing is true and correct.
We previously covered the reporting of this “vulnerability” by the discoverer. The email that was sent to report this is already submitted in the filings of this case. As is shown in the email, the reporter was the Automattic Security Team. They specifically claimed they discovered the vulnerability as well. Their email even included a request to credit the Automattic Security Team:
When you release a fix for this security issue, please credit the “Automattic Security Team” for finding and disclosing it responsibly. CVE-2024-9529 has been reserved for this issue.
Matt Mulleweng was CC’d on the email.
That this was done by the Automattic Security Team was confirmed in a now deleted tweet from Automattic that read:
Automattic’s security team has responsibly disclosed a vulnerability in @wp_acf to @wpengine. As is standard, they have 30 days to issue a fix before public disclosure. We have reserved this CVE for the issue: https://www.cve.org/CVERecord?id=CVE-2024-9529
That CVE record cited there remains empty, but another Automattic entity, WPScan, is also crediting the Automattic Security Team:
That would explain how Automattic employees knew about the takeover, asit wasn’t done by “WordPress security team” but by the Automattic Security Team.
It is rather troubling that Matt Mullenweg is portraying the security team of his company as being the “WordPress security team” when there is apparently a real WordPress Security Team. But is in line with referring to himself as WordPress.org to keep the WordPress community unaware of his troubling personal ownership of the WordPress website.