Login

WordPress Plugin Vulnerability News

24 Sep 2024

Automattic’s Matt Mullenweg Basically Admitted on Reddit That He Was Trying to Extort WP Engine

After days of WordPress and Automattic head Matt Mullenweg attacking a competitor of Automattic, WP Engine, there was a response from WP Engine as to what was going on here. That came in the form of a cease and desist letter they released yesterday. In that, the legal counsel for WP Engine, Emanuel Quinn, made this stunning set of claims in the second paragraph of their letter:

Stunningly, Automattic’s CEO Matthew Mullenweg threatened that if WP Engine did not agree to pay Automattic – his for-profit entity – a very large sum of money before his September 20th keynote address at the WordCamp US Convention, he was going to embark on a self-described “scorched earth nuclear approach” toward WP Engine within the WordPress community and beyond. When his outrageous financial demands were not met, Mr. Mullenweg carried out his threats by making repeated false claims disparaging WP Engine to its employees, its customers, and the world. Mr. Mullenweg has carried out this wrongful campaign against WP Engine in multiple outlets, including via his keynote address, across several public platforms like X, YouTube, and even on the WordPress.org site, and through the WordPress Admin panel for all WordPress users, including directly targeting WP Engine customers in their own private WordPress instances used to run their online businesses. [Read more]

24 Sep 2024

Who Is on the WordPress Foundation Board?

With the recent drama surrounding Matt Mullenweg’s extortion attempt of WP Engine and potential legal action resulting from that, the WordPress Foundation has been getting more attention. There is fairly little information on the foundation and a lot of understandable confusion over it. On its homepage there is this explanation for its existence (emphasis in original):

The point of the foundation is to ensure free access, in perpetuity, to the software projects we support. People and businesses may come and go, so it is important to ensure that the source code for these projects will survive beyond the current contributor base, that we may create a stable platform for web publishing for generations to come. [Read more]

24 Sep 2024

The WordPress Plugin Review Team Has Only 14 Members, but 338 People Are Claiming to Be Involved in the Team

If you want to take a favorable view of the head of WordPress Matt Mullenweg’s criticism of WP engine, he was concerned about how much they are giving back to WordPress (the way WP Engine’s lawyer portrays it; it sounds like extortion). To do that, he was citing the disparity between their pledged time for WordPress through the Five for the Future program and his company’s. As we noted yesterday, that company, Automattic, claimed to pledging time to a team that appears to have last been active over two years ago. They were not alone, as there were 331 pledges for that team. Many of them didn’t look legitimate. That turns out to be a wider issue.

The Plugin Review Team, which is supposed to handling the security of the WordPress Plugin Directory, among other tasks, currently has 14 listed members: [Read more]

23 Sep 2024

Is Automattic Really Contributing 3,950 Hours Per Week to WordPress?

On Sunday, the head of WordPress, Matt Mullenweg, used the blog of WordPress to attack a competitor of his Company Automattic. That would seem like a conflict of interest, but as we noted last week, WordPress never released the conflict of interest policy they announced was coming back in 2021 and 2022. That followed on his attack on them at WordCamp US and on his personal blog. One point of contention was covered this way on yet another Matt Mullenweg outlet, the WP Tavern:

To make his point, Mullenweg compared the Five For the Future contributions from Automattic and WP Engine, a competitor of similar size. Automattic contributes 3,786 hours per week, while WP Engine contributes just 47. [Read more]

19 Sep 2024

Microsoft Copilot Doesn’t Provide Accurate Information on Known Vulnerability in WordPress Plugin

AI has gotten a lot of attention for what it might mean for security, as well just about everything else. We were curious to see how an AI chatbot would handle processing public information about the security of WordPress plugins and if it would correctly warn that a plugin was known to be vulnerable. Our quick test involved Microsoft Copilot, which is accessible through Microsoft’s Bing search engine. We asked if the TablePress plugin was vulnerable. A web search could pull up our security scorecard for the plugin, which notes that, as of when it was checked in August, it was known to be vulnerable.

The results, which can be seen in full below, were interesting and not exactly surprising to anyone who takes a poor view of AI chatbots. In the four question conversation (that was a limit set by Microsoft), Copilot identified two different vulnerabilities as being the latest vulnerability in the plugin. It cited what doesn’t appear to be a reliable source for part of that. It also seems possible that the cited source is itself AI generated. The most problematic part of the response was the BS. It claimed a vulnerability had existed in version 2.3.1 of the plugin and been fixed in the next version, 2.3.2. Its next response claimed the vulnerability had existed in version 2.4.1 of the plugin and been fixed in the next version, 2.4.2. The cited source matched the first set of versions mentioned. [Read more]

18 Sep 2024

Fork of a Fork, the Complicated History of Library in a WordPress Plugin

As we work to expand the capabilities of our new Plugin Security Scorecard, one of our focuses is providing better security information on libraries included in plugins. That has led to us finding plugins using vulnerable libraries. And in the case of one of them, the plugins not being updated to a newer version of the library since we reached to the plugins’ developers. Looking into a library included in a security plugin, we found that libraries can have complicated histories. Leading, in this case, to a library copied from a copy of a library and then having the middle link abandoned.

The library in the plugin is listed by GitHub as being a fork of another library: [Read more]

18 Sep 2024

WordPress Was Going to Have a Conflict of Interest Policy, It Never Was Released

In March 2021, the Executive Director of WordPress announced that she was planning to put forward a Conflict of Interest Policy as part of a larger Contributor Handbook. In April 2022, she announced the release of two sections of the Contributor Handbook and said that in “coming weeks” a Conflict of Interest Policy and other sections would be released. Later that month, she announced another section and again said that in “coming weeks” a Conflict of Interest Policy would be released. In May 2022, she announced another section and again said that in “coming weeks” a Conflict of Interest Policy would be released.

That was the last announcement they made about the Contributor Handbook. The Conflict of Interest Policy and a promised Code of Ethics policy never materialized. We don’t know what happened, but we do know that the Executive Director of WordPress’ own situation seems like a major conflict of interest. [Read more]

17 Sep 2024

Awesome Motive’s 3+ Million Install All in One SEO Plugin Is Tracking Usage Without Consent

The WordPress Plugin Review Team is currently considering restrictions on plugins from automatically installing additional plugins when setting up a plugin. A couple of the major offenders, when it comes to doing that, have chimed in. Unsurprisingly, they are suggesting not stopping that from happening. One of those was the CEO of the not so awesome Awesome Motive. Their automatic installation of additional plugins causes problems for users of Awesome Motive plugins, as well as introducing additional security risk to the websites, as their plugins have had plenty of security vulnerabilities over the years. While looking in to how those players are currently handling that automatic installation, we noticed that a couple of multi-million installs plugins from them are tracking usage without users choosing to opt in, and in the case Awesome Motive’s 3+ Million Install All in One SEO, without disclosing that usage tracking is being enabled.

Here is how the guidelines for the Plugin Directory explain how usage tracking should be handled: [Read more]

17 Sep 2024

WordPress Plugin Security Review: Two Factor

Before we start using a new WordPress plugin on our website, we do a security review of it, which led to us doing one for Two Factor. That is also now one of the plugins covered our new Continuous WordPress Plugin Security Review service to identify if updates to plugins have introduced new security issues after we have completed a review of it.

If you want a security review of plugins you use, when you become a paying customer of our service, you can start suggesting and voting on plugins to get security reviews from us. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our main service. [Read more]

16 Sep 2024

WordPress Lacks Method to Verify That Plugin Is Truly a First-Party (Canonical) Plugin

First-party WordPress plugins are not a new idea. Here is a post about the head of WordPress, Matt Mullenweg, talking about them, referring to them as canonical plugins, in 2009. And doing it again in 2022. Despite that, there still isn’t a clear indication or verification method that plugins are truly coming from WordPress. Or even consistent labeling of those plugins. You probably wouldn’t guess the plugin Two-Factor is from WordPress as it listed as being by “Plugin Contributors”:

[Read more]