Login

WordPress Plugin Vulnerability News

1 Oct 2024

Plugin Security Scorecard September Results

September was the second full month our Plugin Security Scorecard was available. A fair amount of plugins were checked. A total of 135 plugins were checked last month. With 13 of those plugins being security plugins.

As can be seen below, the results for security plugins were not good. With all but one of those plugins getting a D+ or below. That comes from a combination of different issues. Some of those plugins have security issues. Some come from developers that have had repeated issues with vulnerabilities and are not addressing the underlying problems. Most security plugins are failing to implement best practices for security. Then there is the issue of the plugin developers making security claims that are at least not supported with evidence (and often couldn’t be supported with evidence, since they are not true). [Read more]

1 Oct 2024

One of the Moderators of Reddit’s WordPress Forum Doesn’t Want People Know About WordPress’ Missing Conflict of Interest Policy

A fundamental issue with WordPress that has long existed, but hasn’t gotten the level of attention is deserved, is the inherent conflict of interest in Matt Mullenweg’s various roles. He isn’t alone in that. The Executive Director of WordPress “also leads Automattic‘s open source division.” Matt Mullenweg, of course, put that person in the role of Executive Director despite the obvious conflict of interest. Despite her obvious conflict of interest, she was going to produce a conflict of interest policy for WordPress that never was released. A code of ethics was also never released.

Yesterday, someone posted a link to our post about that on the WordPress Subreddit, /r/wordpress/, which was quickly deleted: [Read more]

30 Sep 2024

Matt Mullenweg Can Hold WordPress Plugin Developers Hostage Too

As part of Matt Mullenweg’s extortion campaign against WP Engine, he blocked off WP Engine’s customer from software updates coming from wordpress.org. In an interview he did during the weekend, he wanted to highlight another aspect of this campaign. He had blocked WP Engine from providing updates to their 2+ million install plugin Advanced Custom Fields (ACF), which is free, in the WordPress Plugin Directory. That also applied to their other plugins. His comments were, like everything else from him, highly problematic.

He said that “They need to figure out how to get all those people using their own update servers.” It is actually easy technically to provide updates for plugins outside of the Plugin Directory. You only need a little bit of code in the plugin and have hosting for a file that lists information on the latest version of the plugin and .zip file of the plugin. WP Engine is a major web host, so they could handle serving up the .zip files. Presumably, Matt Mullenweg should be aware of that, as his competing company is in the hosting business as well. The problem is that WordPress Plugin Directory doesn’t allow you to add the code needed to do that to the plugin. That is spelled out in guideline 8 of the Detailed Plugin Guidelines: [Read more]

30 Sep 2024

Matt Mullenweg Wants to Be Able to Hold the Security of Your WordPress Website Hostage

Matt Mullenweg’s recent unilateral decision to stop customers of WP Engine from getting updates for the software hosted on wordpress.org has exposed a huge security issue that has long existed with WordPress. That one person has control of WordPress infrastructure. That is something he has presumably intentional hidden away, as we noted in a post about the ownership situation of the WordPress website. That is a significant problem when that person also has a large business that competes with others in the WordPress ecosystem.

It would be deeply irresponsible for others in the community to assume this is a one-off situation looking at the “rational” he provided. He claimed that WP Engine needed a “trademark license,” despite WordPress not offering trademark licenses (an unrelated entity he controls does). He claimed that WP Engines’ “legal claims and litigation against WordPress.org” caused the block, despite a complete lack of those things being true (they had sent a cease and desist letter targeted to unrelated entities he controls). He also claimed that WP Engine had engaged in “attacks on us,” who the us isn’t specified. They had responded through their lawyers to Matt Mullenweg’s attempted extortion against them. Not attack anyone. [Read more]

30 Sep 2024

Who Owns The WordPress Website and wordpress.org?

Matt Mullenweg’s extortion campaign against WP Engine has serious security implications. Especially over the possibility that access to the WordPress website might be blocked to certain groups, as has now happened, or it could shut entirely. What seems like it should be a simple to answer question is who owns the WordPress website and the related wordpress.org domain name. It turns out there is understandable confusion over that. The kind of confusion that Matt Mullenweg seems rather concerned about between WordPress WP Engine, but the kind of confusion it turns out he often engages in. It appears that Matt Mullenweg owns those, which we will get in to more detail, after looking at the confused information out there.

WordPress Foundation Owns It?

If you were to search Google to try to figure out the answer, the snippet for one of top results, which is from the Awesome Motive owned WP Beginner, says “To summarize, WordPress.org and the WordPress trademark are owned by the WordPress Foundation”: [Read more]

30 Sep 2024

Here Is the Extensive License that Automattic Has for the WordPress Trademark

One piece of Matt Mullenweg’s attempted extortion against WP Engine, which has serious security implications, is the WordPress trademark. What hasn’t been clear is the situation with the trademark is. It is well known that previously belonged to Matt Mullenweg’s Automattic and now belongs to the WordPress Foundation, which Matt Mullenweg clearly has control over. But beyond that, the extensive nature of Auttomatic’s ability to use the trademark hasn’t been disclosed by Matt Mullenweg.

Matt Mullenweg announced the transfer of the trademark in September 2010. In his post on his personal website, he made no mention of Automattic still having anything to do with the trademark. In the comments, though, he wrote this: [Read more]

30 Sep 2024

The WordPress Foundation Blog is Written by Automattic Employees

With the ongoing attempted extortion of WP Engine by Matt Mullenweg and the security risks that pose for WordPress, a central issue in that is Matt Mullenweg’s role in several ostensibly separate entities and using his role in one to benefit another. He isn’t the only one with roles across more than one of those. While looking at another aspect of the WordPress Foundation, we noticed that its News blog is being exclusively written by employees of his for-proftit company Automattic. Here are the dates and post authors of posts from last two years for that:

  • June 18, 2024: Julia Golomb
  • April 18, 2024: Julia Golomb
  • February 9, 2024: Reyes Martinez
  • June 29, 2023: Julia Golomb
  • May 10, 2023: Julia Golomb

On the WordPress website, Julia Golomb lists her employer as Automattic and it says that “Automattic sponsors Julia Golomb to contribute 40 hours per week to the Community team.” [Read more]

26 Sep 2024

The WordPress Foundation is Nothing Like the Mozilla Foundation

As part of Matt Mullenweg’s extortion attempt against WP Engine (and with his latest action, the wider WordPress community), he has claimed that there was confusion between WordPress and WP Engine. As many have pointed out, there is much more confusion between WordPress and his company Automattic’s WordPress.com service. That isn’t the only place where there is confusion. Take this recent attempt at an explanation of the structure of WordPress, including the WordPress Foundation:

WordPress’s structure works similar to the Mozilla Foundation, with a small exception that Matt is a majority stake on both sides (Automattic and the WordPress Foundation). Mozilla’s board does have some cross-over between the Foundation and Corporation, but with larger boards that influence is diluted. [Read more]

26 Sep 2024

No Business or Group of Individuals Is Supposed to Benefit From the WordPress Foundation’s Existence

With Matt Mulleneg’s continued expansion of attempted extortion of WP Engine and the security threat posed by that, the WordPress Foundation has come in to more focus. Notably, the WordPress Foundation owns the WordPress trademark, but as a letter from Automattic’s lawyers put it, Automattic has “exclusive commercial rights to the world famous WORDPRESS trademark.” Probably connected to what is going on there, in July, the WordPress Foundation filed trademark registrations for MANAGED WORDPRESS and HOSTED WORDPRESS. The foundation doesn’t have any obvious need for those trademarks, since they are not involved in hosting WordPress websites (not WordPress’ own website). The question raised then is the WordPress Foundation functionally operating as an arm of Matt Mullenweg and is that legal?

Here is how an Automattic employee writing in a post on the WordPress website about the foundation, explained how the foundation is supposed to operate: [Read more]

25 Sep 2024

Automattic Employees Have Been Posting Highly Suspect Five for the Future Program Stats

Over the past two days, we have noted what appear to be large problems with the pledging of time to the WordPress Five for the Future program. That is important as the head of WordPress was criticizing a competitor of this for-profit company, Automattic, over their much smaller pledging to that. One thing that we found was that Automattic is pledging time to a group that appears to have been inactive for over two years. We also found that a team with 14 listed members had 338 people pledging contributions to the team. It turns out the divergence between members and pledges can go even higher than the 24 times for that team.

On July 25, an update was put out for the Community team stating that there were 60 people that contributed to the team: [Read more]