Login

WordPress Plugin Vulnerability News

13 Nov 2024

WP Engine Failed to Vet Security of Plugin Acquired This Year or Fix Vulnerability in It Once It Was Reported to Them

When it comes to whether Matt Mullenweg or WP Engine are the bad guys in the recent, the reality is that they both have played a decidedly harmful role in the security of WordPress plugins. Sometimes that comes from them working together. Last year, we noted that WP Engine was falsely claiming that a popular WordPress plugin contained a security vulnerabilities. That was caused by them using a known unreliable source of vulnerabilities, WPScan. Incredibly, WP Engine’s VP of security admitted earlier in the year they haven’t done due diligence with WPScan’s data:

We know that there are other options out there, but given the sense of completeness and alerts for ALL relevant plugins, we never had a need to go crosscheck WPScan against anyone else. [Read more]

12 Nov 2024

A WordPress Plugin Vulnerability Might Have a Fix Even if Security Providers Say That One Doesn’t Exist

Last week, we had someone contact us about addressing an unfixed vulnerability in a WordPress plugin. In taking a quick look at that, we found the vulnerability had been fixed over three years ago. So why was this person asking about that now? Well, it turned out in part, that the security provider Patchstack, as is often the case, didn’t vet the information they simply copied from another provider.

Based on the name they used for the vulnerability, we could determine that Patchstack is the original source for this person’s information. Whether they got it directly from Patchstack or from someone in turn using their data, we don’t know. If you look at Patchstack’s listing for the relevant vulnerability, they don’t provide even basic information about the vulnerability. But they did say that it hadn’t been fixed and was in version 4.7 of the plugin. [Read more]

7 Nov 2024

The Various Rationales Put Forward by Matt Mullenweg and His Lawyers for His Action Against WP Engine’s ACF

When Matt Mullenweg announced a takeover of WP Engine’s Advanced Custom Fields (ACF) on October 12, he cited the guidelines of the WordPress Plugin Directory for doing that:

On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines [Read more]

6 Nov 2024

Plugin Security Scorecard October Results

October was the third full month our Plugin Security Scorecard was available. A fair amount of plugins were checked. A total of 176 plugins were checked last month. With 9 of those plugins being security plugins.

As can be seen below, the results for security plugins were not good. With all but two of those plugins getting a D+ or below. That comes from a combination of different issues. Some of those plugins have security issues. Some come from developers that have had repeated issues with vulnerabilities and are not addressing the underlying problems. Most security plugins are failing to implement best practices for security. Then there is the issue of the plugin developers making security claims that are at least not supported with evidence (and often couldn’t be supported with evidence, since they are not true). [Read more]

5 Nov 2024

Mess Involving WordPress Partner HackerOne Highlights a Major Problem With Usage of Third-Party Bug Bounty Programs

Originally, bug bounty programs were helpful to improve security for a couple of reasons that had nothing to do with payouts for vulnerabilities. They provided a clear method to report security issues to developers and they signified that developers were going to address the issues instead of doing something like threatening a lawsuit. Then the security industry saw yet another way to make money, while making security worse. Security providers, including HackerOne, came along telling companies that they needed a bug bounty program and they should pay them to manage it. That led to an unnecessary third-party being involved in the process and having companies that were not interested in fixing issues seeming as if they did. The results haven’t been good.

One of the problems with this process, as we previously noted with the programs from WordPress and Automattic, which are handled by HackerOne, is that they create a situation where there isn’t a method to report many security issues. This is something we have tried to address with WordPress, with no success. [Read more]

5 Nov 2024

Matt Mullenweg’s 18+ Month Timeline of Interactions About “Trademark Abuse” With WP Engine Keeps Shrinking

As time has gone on, a central element of Matt Mullenweg’s story of how he got to publicly attacking WP Engine has continued to crumble. That is the timeline of meetings between the two sides over a deal to address what he now claims is trademark abuse. In a post dated October 14, on his own website, he claimed, as he has elsewhere, this was going on for 18+ months, ‘Automattic did not work on a deal with WP Engine for 18+ months because of the GPL, or them using “WP” in their name, it was because of their abuse of the WordPress and WooCommerce trademarks.’ But looking at another of his statements and something from the company he runs, Automattic, suggests there would have to be a much shorter timeline.

On October 1, Automattic put forward a 20 month timeline of meetings between the two sides. Here the first three items on that: [Read more]

4 Nov 2024

Automattic’s WPScan Is Violating the Rules of the CVE Program With Advance Custom Fields “Vulnerability”

As if there were not enough issue with what Automattic has done related to WP Engine’s Advanced Custom Fields, they are also violating the rules of the CVE program. As CVE’s website puts it, “The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.” Through their WPScan subsidiary, Automattic are able to issues CVE ID as CVE Numbering Authority (CNA). That seems like a bad idea, based on their track record of inaccurate and false claims of vulnerabilities, but CVE has been very clear that they don’t care about the accuracy of their data. The rules of their program do require that within 72 hours issuers must publish records once they disclosed CVE IDs:

4.5.1.3 CNAs SHOULD publish a CVE Record to the CVE List within 24 hours of Publicly Disclosing a CVE ID assigned by the CNA. CNAs MAY publish or update CVE Records as part of the CNA’s processes to manage Vulnerability advisories or other public information that references the CVE ID. [Read more]

4 Nov 2024

Matt Mullenweg Now Says That the Contribution Option of His Extortion Demand Was Added Because He Thought He Would Be Exposed

In late September, when WP Engine originally exposed through a cease and desist letter that Matt Mullenweg attacks on them was part of an extortion campaign against them, he almost immediately admitted to the extortion demand on Reddit. It was an odd response. But his defense seemed to be that he wasn’t just asking for money to be paid to his for-profit company, Automattic. He always provided the option to donate employee time to WordPress, “They had the option to license the WordPress trademark for 8% of their revenue, which could be delivered either as payments, people (Five for the Future .org commitments), or any combination of the above.” It turned out that the option to donate time came with some serious caveats, including that the donated time would be spent on work apparently at his personal direction:

Commit 8% of its revenue in the form of salaries of WP Engine employees working on WordPress
core features and functionality to be directed by WordPress.org. WP Engine will provide Automattic
a detailed monthly report demonstrating its fulfillment of this commitment. WordPress.org and
Automattic will have full audit rights, including access to employee records and time-tracking [Read more]

4 Nov 2024

Matt Mullenweg and His Lawyers Have Very Different Estimates as to the Cost of Running WordPress.org

Recently it was made public that Matt Mullenweg personally has the ability to stop WordPress websites from getting automatically getting security updates from WordPress.org. That was exposed when he blocked customers of WP Engine from getting those updates. He can do that because he apparently personally owns the WordPress website. He provides various justifications for that. Including that someone independently wealthy is needed to subsidize the website, “[t]hey need to be independently wealthy to subsidize http://W.org, which serves 30k requests a second at peak.” It doesn’t actually need to be owned by an individual, but whoever owned, there is the question of how much it costs to run it. Matt Mullenweg hasn’t provided accounting how much it costs to run and how much money he is making off it (he apparently has income from the website). So how much does it cost? The answers coming from his side vary significantly.

On September 26, Matt Mullenweg put the price of supporting only the estimated 1.5 million website hosted with WP Engine as costing millions of dollars, “You could imagine that probably costing millions of dollars per year in infrastructure and cost, development time, everything to support those 1.5 million sites.” [Read more]

1 Nov 2024

Matt Mullenweg’s Legal Filing Suggests “WordPress security team” That Took Over ACF Is Really the Automattic Security Team

We have been covering a mystery surrounding the takeover of WP Engine’s Advance Custom Fields (ACF) on the WordPress Plugin Directory, who was behind in the takeover. When Matt Mullenweg announced the takeover, he said he was doing “[o]n behalf of the WordPress security team.” Yet an Automattic employee not involved in any WordPress security team publicly claimed they were aware of this ahead of time. We have also received information suggested that it was more widely known about in Automattic. Someone saying they were a member of the WordPress Security Team claimed they were not aware of this. What is going on with the security team of WordPress is largely a mystery, with it being unclear if it is named the WordPress Security Team or the WordPress Core Security Team. Or possibly there is more than one team. New legal filings in WP Engine’s case against Automattic and Matt Mullenweg suggest that the takeover wasn’t actually done by a security team in WordPress.

In a filing opposing WP Engine’s motion of preliminary injunctions, the lawyers for Automattic and Matt Mullenweg explain the take over this way: [Read more]