Login

WordPress Plugin Vulnerability News

1 Nov 2024

The Mystery of the WordPress Security Team or WordPress Core Security Team

In trying to cover various elements of the current situation with WordPress, we have run in to a pre-existing issue, the lack of almost any official information on the WordPress security team or teams. This is very different than how other similar, but smaller, projects handle things. You can easily find a lot of information for the teams for both Drupal and Joomla, including who is on the teams and their scope. It isn’t even clear how many teams there are for WordPress or if they actually exist as a team.

Recently, Matt Mullenweg cited the “WordPress security team” when announcing the takeover of the plugin Advanced Custom Fields. He linked to the WordPress.org Security page when mentioning that. That page mentions a team labeled as the WordPress Security Team: [Read more]

1 Nov 2024

WP Engine’s Poor Security Partially Explained by CTO Who Lacks Basic Security Knowledge

In WP Engine’s lawsuit against Automattic and Matt Mullenweg, examples of WP Engine using the WordPress trademark over the years also show that they have also made a big emphasis on handling security well. It hasn’t matched the actual results. In late 2015, they suffered a breach that required the “passwords for the WP Engine user portal, SFTP, the original WP-Admin account, password-protected installs and transferable installs, and the WordPress database” to have to be reset. Their explanation for the breach was that it came through the provider they outsourced the hosting of websites to. It was the same provider that had led to a more limited breach two years before. Either they could safely rely on outsourced infrastructure, but failed to properly vet it, or they couldn’t rely on that. Either way, they were promising security they were not delivering.

Their poor handling of security has continued in various ways in to the present time. It was just in May we found that they had failed to actually fix a vulnerability in one of their plugins. Compounding that problem, they were providing their customers warnings about vulnerabilities in WordPress plugins known to not be reliable information. Last year, their source had promoted WP Engine’s use of the source with a quote from WP Engine’s VP of Security admitting he hadn’t done basic due diligence. If he had done basic due diligence, he would have known the data provider isn’t reliable. Amazingly, that person is still employed despite publicly admitting to not acting professionally in a way that has put WP Engine’s customers at unnecessary risk. [Read more]

31 Oct 2024

WordPress Plugin Review Team’s Stance That “Forked Premium Plugins Are Not Permitted” Changed Same Day ACF Takeover Happened

Since Matt Mullenweg announced a takeover of WP Engine’s Advanced Custom Fields (ACF) on the WordPress plugin directory on October 12, there have been questions if the features of the paid Pro version would be incorporated in the rebranded Secure Custom Fields. Doing that would be against the stated policy of the team running the WordPress plugin directory that was spelled out in a February 16, 2021 post titled “Reminder: Forked Premium Plugins Are Not Permitted.” Or it was against the policy. As of October 8, the beginning of the post started “tl;dr: We do not permit copies or forks of premium (pay for) plugins to be hosted on WordPress.org.”

[Read more]

30 Oct 2024

A Month On, a Glaring Problem With Five for the Future Pledges Hasn’t Been Addressed

When Matt Mullenweg publicly started going after WP Engine one issue that got a lot of attention was the disparity between how much time he’s company Automattic was claiming to sponsor its employee doing work for WordPress versus WP Engine. The metric being used, Five for the Future, has plenty of issues. One that has been out in the open, which we happened across, is that there are many pledges that couldn’t be real. At the time, Automattic was claiming to currently be providing sponsored to the Tide team, despite that team having gone inactive in early 2022. They were not alone, as there were 331 current pledges to the team. The story wasn’t all that different with another team, where there were 14 listed members of the team and 338 pledges. There is a form for reporting problems with pledges, though one that doesn’t seem designed for systematic issues, as you are supposed to report the URL of an individual pledge. We filed a report about those issues at the time, so what has happened more than a month on?

After our post about Automattic’s pledges, their Five for the Future page was updated and no longer lists time pledge to the Tide team. That appears to be unrelated, as that change came alongside many Automattic employees leaving the company. There were significant changes to Automattic’s pledging when those people left. [Read more]

30 Oct 2024

WP Tavern’s Latest Author Got the Job in Part by Writing “Ad” Promoting Automattic Powered Hosting From Bluehost

While the timeline of the public part of Matt Mullenweg’s extortion campaign against WP Engine sometimes starts with his talk at WordCamp US on September 20, there were two events that happened before that. On September 17, he published a post on his own website that included criticism of WP Engine. That post was promoted in the admin dashboard of every WordPress because he decided years ago that the posts on his personal blog should be included in the “news” feed of WordPress. Two days later, another website included in the “news” feed of WordPress ran a post simply repeating lots of the information from his post. That post started this way:

WordCamp US 2024 is in full swing, and Matt Mullenweg, co-founder of WordPress, shared his thoughts on a powerful philosophy driving Open Source. [Read more]

29 Oct 2024

For Some Reason Automattic Emailed WP Engine’s CEO About Security “Vulnerability” in Advanced Custom Fields

As part of the whole situation with Matt Mullenweg and WP Engine, there has been a reoccurring issue. His odd and sometimes possibly illegal interactions with the CEO of WP Engine, Heather Brunner. There was the incident documented in WP Engine’s lawsuit where he sent her a text offering her a job and threatening to tell the press about claimed interactions they had previously had if she didn’t accept the job. In a follow up legal filing, there was this odd statement, ‘Recently, Automattic began sending purported security alerts about WPE’s “ACF” plugin to WPE’s CEO, in another act of harassment.’ Why would Automattic send the CEO of a company security alerts? That is not something we have ever heard of happening and it isn’t something we have ever done in reporting security issues over the years, including to Automattic. In a related declaration from WP Engine’s CEO, she says the same:

One of those attacks occurred on October 4, 2024, when Automattic sent WPE a security alert about ACF, a plugin that WPE develops and contributes for use by the open source community. A true and correct copy of this email is attached as Exhibit H. Both Mr. Mullenweg and myself were cc’d on the email, which is without precedent. As the CEO, I never get copied on such routine security patch emails for minor security issues. [Read more]

28 Oct 2024

You Don’t Need to Update to New Major Releases of WordPress to Get WordPress Security Updates

Recently, we ran across someone who was asking why they needed to keep updating WordPress itself when they all they needed were security updates and not new features. What they didn’t know is that you don’t need to do all those updates.

If you just want security updates, you can stay on an older major release of WordPress. Security updates are still being released for versions back to 4.1, which was released in 2014. So, for example, if you were currently on 6.6, when 6.7 is released, you can avoid updating to that. You will still get security updates for the older version 6.6 being used. Normally, that happens automatically. [Read more]

28 Oct 2024

Matt Mullenweg Claimed He Makes Money Off of WordPress.org

The current situation with WordPress has made the control of the website for WordPress, WordPress.org, an important security issue. Recently Matt Mullenweg has claimed in multiple places that he personally owns the website. Notably, though, he hasn’t done that on the WordPress website itself. Last week his lawyer also made that claim in a legal filing. If that is true, then a remaining question is who is paying for the website. As we have mentioned in previous posts, parts of the website are clearly hosted by Automattic. An Auotomattic employee stated in December that Automattic “provides the infrastructure and maintenance” for another part of the website. It also widely assumed that web hosts are paying to be included listed as recommended hosts on the WordPress website. Matt Mullenweg hasn’t provided any explanation as to what is going on with any of that. But it turns out he recently indirectly admitted to making money off of the website.

In looking over a recent legal filing from WP Engine’s lawyers, an October 1 tweet from Matt Mullenweg caught our eye for a different reason than the filing’s focus on it. The tweet says “So if http://W.org was under the Foundation, which is a 501c3, we’d have to remove all commercial plugins, like Elementor, Yoast, Jetpack, etc. That’s why I run it through me personally and pay taxes.” He wouldn’t have to pay taxes for simply owning the domain name or the website. He would have to pay taxes if he was receiving income from the website. (WordPress.org doesn’t have any employees, so he wouldn’t be paying employment taxes either.) [Read more]

25 Oct 2024

The Executive Directory of WordPress.org Is an Employee of Automattic

On Monday, the new Executive Directory of WordPress.org started on the job. The position raises serious question about what is going on with WordPress. The WordPress post by Matt Mullenweg announcing they were going to be taking on the role made it sound like they were going to be employed by WordPress.org:

We’re proud to announce that Mary Hubbard (@4thhubbard) has resigned as the Head of TikTok Americas, Governance and Experience, and will be starting as the next Executive Director of WordPress.org on October 21st! [Read more]

25 Oct 2024

WP Tavern’s Nathan Wrigley Highlights Duo of Companies Handling Security Badly as Example of Providing Better Security Outcomes

A new legal filing from lawyers representing Matt Mullenweg claims that he loves the WordPress community. That is hard to square with so much of what he does. For more than a decade, he has run a WordPress news outlet that fails to follow the basic journalistic standard of disclosing when the news outlet is covering the owner of the news outlet and related parties. That news outlet being the WP Tavern, which is also included in the WordPress news feed that he controls without a disclosure of the situation either. In addition to the news coverage, the WP Tavern has a podcast done by Nathan Wrigley. He isn’t someone who has shown any concern for the accuracy of what he covers. The latest podcast episode shows that off.

Before we get in to the podcast episode, let’s step back in time to April 2022. That month, hackers started targeting a vulnerability in the very popular Elementor plugin. The vulnerability allowed arbitrary code to be run on the website by anyone logged in to WordPress with any user role that had access to the admin area of WordPress. Normally anyone logged in to WordPress has access to the admin area. That vulnerability was caused in part by Elementor failing to implement a very basic security check to make sure only a user with an intended capability could access functionality. Another part of the cause was that Elementor was leaking a security nonce to users that shouldn’t have had access to it. [Read more]