Login

WordPress Plugin Vulnerability News

6 Dec 2024

Matt Mullenweg Signed WordPress Foundation Trademark Application as “CEO”, Despite Not Being Its CEO

Former direct employee of Matt Mullenweg, Samuel Sidler, wrote an interesting post about the unclear ownership of the Openverse, which is a WordPress project. One piece of the story ties into something we have looked at. The extent that the WordPress Foundation is intertwined with Automattic, especially with trademark applications. He wrote this:

The application of the wordmark was made by the WordPress Foundation, with Mullenweg signing the paperwork with a title of “CEO.”[9] Meanwhile, on the trademark application for the logo, Mullenweg signed the paperwork with a title of “Founder.” On November 10, 2022, Chloe Bringmann—with a title of “Chief of Staff”—signed a “statement of use” for the logo, noting first use was July 20, 2021. Bringmann signed a “statement of use” for the wordmark on May 23, 2023, noting first use was April 27, 2021. [Read more]

3 Dec 2024

Member of WordPress Plugin Review Team Anonymously Criticizes ACF Pro Forking, But Doesn’t Leave Team

One of the unfortunate realities of the current situation with WordPress is that the problems surfaced are hardly limited to Matt Mullenweg. Long ago, the people controlling areas of WordPress that we had the most interaction were often people that were similar to Matt Mullenweg in many ways. The security issues with WordPress plugins today largely exist because of the people who have run the plugin directory, the WordPress Plugin Review Team. They have long been actively hostile to working with other to address problems, when not actually creating the problems. Like Matt Mullenweg, members of the team have portrayed themselves as victims in situations where they were definitely not victims. That made a recent set of events unsurprising to us.

A week ago, the Repository allowed a member of the team to anonymously complain about the forking of the Advanced Custom Fields (ACF) Pro plugin and claim that their team had no responsibility for it: [Read more]

2 Dec 2024

For the Second Time This Year, Automattic’s Top Lawyer Has Left

Last week’s hearing on a preliminary injunction in the legal case between Matt Mullenweg/Automattic and WP Engine featured an Automattic lawyer we hadn’t heard mentioned before. That would be their General Counsel, Jordan Hinkes. That role has been their second to the top lawyer. Bloomberg Law reported on Friday that he was newly on the job. His LinkedIn profile shows him having taken the job in October:

[Read more]

2 Dec 2024

Automattic Apparently Manages the WordPress.org Infrastructure

Because of recent actions taken by Matt Mullenweg, the control of WordPress.org has become a big security concern. It continues to be unclear who actually is in control of it. Lawyers representing Matt Mullenweg and Automattic have put forward varying explanations. In a legal filing on October 22, they put forward the view that Matt Mullenweg is personally in control of it:

WordPress.org is not WordPress. WordPress.org is not Automattic or the WordPress Foundation, and is not controlled by either. To the contrary, as Plaintiff itself acknowledges, WordPress.org is Mr. Mullenweg’s responsibility. [Read more]

2 Dec 2024

Plugin Security Scorecard November Results

November was the fourth full month our Plugin Security Scorecard was available. A fair amount of plugins were checked. A total of 78 plugins were checked last month. With 17 of those plugins being security plugins.

As can be seen below, the results for security plugins were not good. With only five of those plugins getting a C or above. That comes from a combination of different issues. Some of those plugins have security issues. Some come from developers that have had repeated issues with vulnerabilities and are not addressing the underlying problems. Most security plugins are failing to implement best practices for security. Then there is the issue of the plugin developers making security claims that are at least not supported with evidence (and often couldn’t be supported with evidence, since they are not true). [Read more]

21 Nov 2024

Spokesperson for WordPress.org Claims It is Committed to “Continued” Transparency and Increasing Security Expectations

If you have followed what is going on with WordPress recently, a word that wouldn’t be something you would use to describe things would be transparency. And yet an unnamed “WordPress.org spokesperson” speaking to an undisclosed employee of the head of WordPress, Matt Mullenweg, claimed that WordPress.org is committed to continued transparency:

WordPress.org is committed to increasing security expectations, adopting secure development practices, continuing to lead the project with transparency, and being a willing and helpful partner regarding any government requirements. [Read more]

21 Nov 2024

WordPress All-In-One Security and 2FA Plugins Can Get Your Website Hacked

A major source of security vulnerabilities in WordPress websites is insecure WordPress plugins. In response to that, far too many WordPress security providers push installing more plugins instead of taking steps to actually fix the insecurity of plugins. You will often see them pushing all-in-one security plugins and plugins to add two-factor authentication (2FA) despite the lack of protection they often offer and the security issues they can introduce. A prime offender in doing that is Wordfence. In the face of that leading to a serious problem recently, they didn’t change course. Instead, they used it to market themselves. Before we get in to that, we will take a step back to our warnings last year about a popular security plugin.

Back in 2017, we did a security review of a plugin named Really Simple SSL and found no issues with what checking on at that time. Last year the plugin was radically changed to move away from a focus on providing really simple SSL, to being an all-in one security plugin. Alongside that, the developer showed a clear lack of concern for security. As we wrote about in July of last year, they were falsely claiming that plugins contained vulnerabilities because they were using a known unreliable source for vulnerability data. They didn’t address that by moving to a reliable source and in January we noted a much more concerning situation, where they were falsely claiming unfixed vulnerabilities had been fixed. [Read more]

18 Nov 2024

Wordfence and “Security News” Outlets Falsely Claim 4 Million WordPress Websites Were Affected by Vulnerability

For reasons we have never understood, various websites portraying them as security news outlets are treated a reliable news outlets, despite not really being news outlets. They are also included in Google News, despite a long history of publishing misleading to outright false claims related to WordPress security. One of those is the Bleeping Computer. In the latest incident related to WordPress, one of their writers, Bill Toulas, wrote a post a titled “Security plugin flaw in millions of WordPress sites gives admin access.” At the end of his post, he gave a more specific figure for the number of websites impacted, 3.5 million:

As of yesterday, the WordPress.org stats site, which monitors installs of the free version of the plugin, showed approximately 450,000 downloads, leaving 3,500,000 sites potentially exposed to the flaw. [Read more]

18 Nov 2024

WordPress Plugin Security Review: WP API Privacy

As part of the ongoing situation between Matt Mullenweg and the WordPress community, there has increased concern about various aspects of WordPress. One area of concern is what information is being transmitted back to WordPress from websites running to WordPress. That led to the release of a new plugin, WP API Privacy, to limit some of that information. As part of our focus on supporting efforts to reform WordPress, we decided to do a security review of the plugin.

If you want a security review of plugins you use, when you become a paying customer of our service, you can start suggesting and voting on plugins to get security reviews from us. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our main service. [Read more]

14 Nov 2024

Comment From WordPress Core Contributor Helps to Explain Why WordPress Has Long Failed to Address Fixable Security Issues

WordPress has long had a reputation for poor security. The reality behind that is that many of the claims about poor security are not true and that real security issues haven’t gotten attention or fixes. A recent story at The Repository about the response to Matt Mullenweg’s recent action by core contributors to WordPress helps to explain why things are going wrong. The story anonymously quotes “[v]eteran WordPress core committers and contributors,” painting a rather bad picture of of many of those people.

The most striking comment is this: [Read more]