Login

WordPress Plugin Vulnerability News

15 Oct 2024

Matt Mullenweg Claims He Doesn’t Know about Day to Day Operations of the WordPress Foundation, Who Does?

So far, with everything going on with WordPress, there has been a decided lack of new details exposed by journalists. There have been plenty of stories, but most just repeating claims made by various parties in the situation. That changed today, as TechCrunch’s Ivan Mehta reported on an internal Automattic blog post that laid out the strategy of trying to gain more control over the WordPress trademark. Here is part of how he described that:

The message – penned by Automattic’s then-chief legal officer Paul Sieminski in January 2024 on the company’s “P2” (a version of WordPress aimed at internal communications) – outlined a plan for how Automattic would approach this strategy, through direct negotiations with companies and via legal action from “nice and not nice lawyers and trademark enforcers.” And Automattic potentially would register further trademarks going forward. [Read more]

14 Oct 2024

Matt Mullenweg Claimed that “Open source gives you the security, the trust, the continuity.” Day Before ACF Takeover

As we mentioned in our last post, Matt Mullenweg continued his extortion campaign against WP Engine over the weekend by taking over WP Engine’s Advanced Custom Fields (ACF) plugin. The day before, a new conversation with him was released on Youtube. The conversation was with someone who has a questionable history, including editing his own Wikipedia page. The conversation included many misleading to false statements, including one that other person in the conversation actually stumbled in to exposing.

When he was asked if his extortion campaign could help competitors to WordPress, he answered it this way after mentioning Webflow: [Read more]

14 Oct 2024

How Did Automattic Employee Know in Advance of Takeover of Advanced Custom Fields if It Was Done by WordPress Security Team?

On Saturday, Matt Mullenweg announced a takeover of WP Engine’s Advanced Custom Fields plugin. That isn’t really surprising. As we wrote recently, Matt Mullenweg can hold plugin developers’ hostage. Matt Mullenweg claimed this was done by the WordPress security team:

On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem. [Read more]

11 Oct 2024

Matt Mullenweg Is Now Claiming WordPress.org Provides “Access to WordPress-Related Software at No Charge,” While Trying to Charge for Access

If you are trying to figure out what is going on with WordPress these days, it is difficult, as Matt Mullenweg and others on his side are saying things that appear to varying degrees to not be true. We previously covered how a lawyer for Automattic was claiming that a non-profit owned WordPress.org, while Matt Mullenweg is claiming he owns it. On the Hacker News, Matt Mullenweg responded to a reply about that by claiming that “All the information in the links you shared is totally wrong.” One of three links he claimed contained information that is totally wrong was a post he had written. He then responded, “Sorry for that error, the post has been updated now.” The change made to the post doesn’t make sense from a legal perspective, but it also involved Matt Mullenweg making a striking claim based on what else he is doing.

Here is the relevant sentence from the post before it was changed, with emphasis added by us to the relevant change: [Read more]

10 Oct 2024

Automattic’s Lawyer Falsely Claims Automattic Doesn’t Control What Code is Labeled WordPress

In a couple of previous posts, we have looked at claims coming from an associate general counsel at Automattic. This person is claiming that there is a never before disclosed non-proft that controls the WordPress website, which runs counter the claim by Automattic CEO Matt Mullenweg that he owns it. They also are claiming, in direct contradiction to Matt Mullenweg, that the WordPress trademark was not donated to the WordPress Foundation.

Now he apparently is replying on the Hacker News. The responses are strange and you might reasonably believe that it is an impostor. But the account‘s username is the same as his name and is listed as being created in February 2017. [Read more]

9 Oct 2024

Matt Mullenweg Claims the WordPress Trademark Was Donated to the WordPress Foundation, Automattic’s Lawyer Disagrees

The trademark for WordPress plays an important role in Matt Mullenweg’s extortion campaign against WP Engine, and all the security implications that come out of it. What is clear is how unclear things have been with that. Matt Mullenweg has said things that are misleading and in other cases appear to be outright false. One of his own lawyers is disagreeing with him over fundamental issue (it isn’t the only issue they disagree with him). Was the trademark donated to the WordPress Foundation or not?

Matt Mullenweg’s announcement in 2010 said the trademark was donated (emphasis ours): [Read more]

9 Oct 2024

WordPress’ Latest Canonical Plugin WPGraphQL is Still Using Vulnerable Version of Library 18 Months Later

Two days ago Matt Mullenweg announced the WordPress plugin WPGraphQL was becoming a canonical plugin:

Happy to announce that WP GraphQL is becoming canonical on WordPress.org. I could say more, but I’ll let Jason tell his story. [Read more]

8 Oct 2024

WordPress Documentation On Confusion With WordPress.com Changed to Include Ridiculous Ad Promoting WordPress.com

The voice of WordPress could be a powerful force to help address many problems that exist in the WordPress space. Including lots of FUD about security that gets in the way of focusing on fixing real security issues. Unfortunately, it is increasingly being used to promote the for-profit interests of Matt Mullenweg. That has bled in to the WordPress documentation.

Recently, Matt Mullenweg has been complaining that people confuse WordPress and WP Engine. If this really is a significant issue, then there is a bigger issue that he could address. The confusion between his for-profit WordPress.com and WordPress. There is so much confusion that the WordPress website, WordPress.org, has a post titled “What’s the difference between WordPress.org and WordPress.com?” That page has existed since at least 2015. Since 2015, the page has this as the final section: [Read more]

7 Oct 2024

Automattic Can’t Decide if WordPress.org is a Previously Undisclosed Non-Profit or If It is Just Matt Mullenweg

As part of Matt Mullenweg’s extortion campaign against WP Engine, someone with control of the WordPress website started blocking customers of WP Engine from getting security updates for WordPress software. That makes the ownership/control of the WordPress website as critical security issue to understand. So who owns the WordPress website? It seems it should be a simple question to answer, but even the CEO of Automattic and Automattic are not on the same page on that.

In a post on Automattic’s website published on October 2 (and subsequently updated on October 3), an associate general counsel at Automattic, wrote that the non-profit WordPress “Foundation also licensed the name WordPress to the non-profit WordPress.org, which runs a website that facilitates access to WordPress-related software.” That would mean there is a second non-profit besides the WordPress Foundation, which exists, but that people are not aware of. [Read more]

7 Oct 2024

Lack of Clarity Surrounding Scope of Automattic’s Rights to Commercial Use of WordPress Trademark

Last week we noted that a post written on Automattic’s website by an associate general counsel at Automattic, appeared to have a gotten significant detail wrong. As the author claimed that a non-profit owns WordPress.org, despite the CEO of Automattic continually claiming he personally owns it. There is another detail that may not be right that was discussed in that.

In a post on The Repository, written by Rae Morey, noted the issue on the non-profit claimed to own WordPress, but went on to report this: [Read more]