Login

WordPress Plugin Vulnerability News

24 Oct 2024

Matt Mulleweg’s Lawyer Says that WordPress.org Is Not WordPress

We have been following the confusing situation with what WordPress.org is and who owns the website hosted at wordpress.org. That has included Matt Mullenweg disagreeing Automattic’s lawyers over that, which became a legal “mystery”. One place that you can’t find answers to those questions is the About page on wordpress.org and the rest of the About section on of the website. In the text of that page, there are 11 references to WordPress and none for WordPress.org. The title of the page does include WordPress.org. So you would reasonably think that the website of WordPress is wordpress.org. Not so says the lawyers defending Automattic and Matt Mullenweg in the lawsuit brought against them by WP Engine. Instead, they make this claim in a legal filing submitted yesterday:

WordPress.org is not WordPress. WordPress.org is not Automattic or the WordPress Foundation, and is not controlled by either. To the contrary, as Plaintiff itself acknowledges, WordPress.org is Mr. Mullenweg’s responsibility. [Read more]

23 Oct 2024

The WordPress Must Win Open Letter Pretends That WordPress’ Lack of Independent Governance Isn’t Intentional

WordPress has a significant problem with toxic positivity. We have seen that over and over in the security space. Where trying to have a discussion about problems and how they could be fixed leads to criticism for bringing up the problems. That not only means problems don’t get resolved, but it helps out those taking advantage of the WordPress community. Along those lines, the latest WP Weekly newsletter mentioned “a petition calling for the creation of strong WordPress Foundation v2″ called WordPress Must Win. The letter is described as an “appeal to divert all energy being wasted in fights towards co-creating a fully independenttransparent, and strong WordPress Foundation v2.” It doesn’t address the big problem with that proposal, WordPress doesn’t have that independent and transparent governance because the person in control of WordPress, Matt Mullenweg, doesn’t want that.

Here is how they described the WordPress Foundation v2: [Read more]

23 Oct 2024

Matt Mullenweg Is Complaining That WP Engine Hasn’t Donated to the WordPress Foundation, Despite It Having Too Much Money

Trust is a big part of security and trust is in short supply with the head of WordPress these days. He keeps saying things that are problematic. At the top are the outright lies to highly misleading statements. One of his arguments against WP Engine had been problematic before and then got more problematic late last week.

Recently, the Trademark Policy page of the WordPress Foundation was updated to include this message about WP Engine: [Read more]

22 Oct 2024

Minutes of WordPress Foundation 2024 Meeting Highlight How Intertwined It Is With Automattic

In a cease and desist letter dated September 23, a lawyer from Perkins Coie wrote that they were writing while representing “Automattic Inc. and WooCommerce, Inc.” One section of that was titled “Violations of Our WordPress Foundation Trademark Policy” and has this information under the heading:

It is further inappropriate that you violated the terms of your WordCamp US Sponsorship Agreement, which specified clearly that “any use of the WordPress trademarks is subject to the WordPress Trademark Policy listed at http://wordpressfoundation.org/trademark-policy.” You repeatedly and intentionally violated the WordPress Foundation Trademark Policy’s prohibition on the “use [of] the[] [WordPress marks] as part of a product, project, service, domain name, or company name,” as demonstrated in Exhibit B attached hereto. [Read more]

22 Oct 2024

What WordPress Plugins Are No Longer Receiving Updates Through the WordPress Plugin Directory?

As part of the mess going on with WordPress, plugin developers are choosing or being forced to provide updates for their plugins outside of the WordPress Plugin Directory. This creates a big security headache. To help address this, we are compiling information on impacted plugins. You can help by letting us know of additional plugins that are impacted, by either leaving a comment below or contacting us.

The information is also available in a machine-readable format to allow for software to automate checking for impacted plugins. We currently have it available in the JSON format. If there are other formats needed, we can format it for those as well. [Read more]

21 Oct 2024

Automattic Deleted Blog Post Praising WP Engine, Where WP Engine’s VP of Security Admitted to Not Doing Basic Due Diligence

One question that has come up a lot recently when the situation with Matt Mullenweg and WP Engine, is who is the bad guy? Considering that Matt Mullenweg is engaged in a now very public extortion campaign against WP Engine, they are clearly a victim. But that doesn’t mean they are good guys. Sometimes they are the bad guys alongside Matt Mulleweg’s company Automattic.

In July of last year, we covered a situation where WP Engine was falsely claiming that a popular WordPress plugin contained a vulnerability. (Because everything is related, the developer of that plugin has become another victim of the current mess.) The cause of the false claim was that WP Engine didn’t actually vet vulnerability claims. Instead, they used a source well-known to not be a reliable source, WPScan. WPScan is owned by Automattic. [Read more]

21 Oct 2024

Automattic’s Lawyer Didn’t Mysteriously Delete Statement That WordPress.org Is a Non-Profit, Matt Mullenweg Deleted It

On Friday, the law firm representing WP Engine in their lawsuit against Automattic and Matt Mullenweg filed a motion for preliminary injunction. One claim made by the lawyers from Quinn Emanuel in that stood out to us, because they claimed something was a mystery, but it isn’t. It suggests that maybe the lawyers are not doing as good a job as they should be or they were not telling the truth.

Here is the statement with the claim: [Read more]

18 Oct 2024

WordPress Plugin Vulnerability Data Providers Are Failing to Warn About Unfixed Vulnerability In WordPress’ Latest Canonical Plugin WPGraphQL

On Wednesday of last week, we posted that WordPress’ latest canonical plugin WPGraphQL contained a vulnerability because the developer had failed to update a third-party library included in the plugin in 18 months. We contacted the developer to alert them of that earlier the same day. We have yet to hear back from them and the plugin, as well as two other plugins from the same developer with the same issue, has yet to have a new version released to fix the vulnerability. We asked WordPress if they were going to take over the plugin like they did Advance Custom Fields to address that. We haven’t received any response.

Our customers have been warned about that vulnerability, but those relying on other providers for WordPress plugin vulnerability data are still in the dark. Those getting data from provider other than us are almost always ultimately getting it from one of three providers. One is owned by Automattic, which is the new employer of the developer of WPGraphQL. That provider, WPScan, isn’t warning about this: [Read more]

17 Oct 2024

Was the WordPress Foundation Just Matt Mullenweg When It Issued Him a License for the WordPress Trademark?

As part of Matt Mullenweg’s attempt to post through his own bad actions, earlier this week he was criticizing people behind a couple of other open source projects over the ownership of the trademarks. He wrote this:

Let’s talk about trademarks! I don’t own the WordPress trademark personally, it belongs to a foundation on which I’m one of three votes. Rails? [Read more]