Login

WordPress Plugin Vulnerability News

13 Jan 2025

New Executive Director of WordPress.org Now Credited as Author of Automattic’s Post Announcing Company’s Reduction in WordPress Contributions

Last week, Automattic announced that they would be reducing how many hours they claim to contribute to the WordPress project under the Five for the Future program. (The accuracy of the Five for the Future pledges in general seem highly suspect.) At the time, the post didn’t have an author shown, but ended “– The Automattic Team.” Since then, the design of Automattic’s website has been updated, causing the credited author of the post to be displayed. You can now see it is listed as Mary Hubbard:

[Read more]

10 Jan 2025

The New Executive Director of WordPress.org is Now Claiming to Only Spend 5 Hours a Week on WordPress

When it comes to the security problems with WordPress plugins, as well as many other problems with WordPress, the project’s lack of proper governance is a key problem. In addition to Matt Mullenweg, the only person that appears to have an oversight role for the project has been the Executive Director of WordPress. That hasn’t produced good results.

While not disclosed by Matt Mullenweg when he announced the position, the first holder of the position was the head of the open source division of Automattic, Matt Mullenweg’s company. The obvious conflict of interest might explain why that person never released the conflict of interest policy they promised for over a year. That person held the position from 2019 until September, when Matt Mullenweg’s offered a buyout to Automattic employees after his extortion campaign against WP Engine went public. They unsurprisingly operated largely in line with what you would expect from someone that is an employee of Automattic who happens to hold that title. [Read more]

10 Jan 2025

Automattic Employee Changed WordPress Plugin Directory Search Algorithm to Promote Automattic’s Jetpack Plugin

As part of working on our Plugin Security Scorecard last year, we spent a fair amount of time using the search functionality of the WordPress Plugin Directory. Through that, we again and again ran across search results that prominently featured plugins with high install counts that were not relevant to the search results, while relevant plugins were sometimes buried later in the results.

One of the examples were you can see that happening is on a search for “translation”, which has as its fourth result, a 3+ million install backup plugin: [Read more]

3 Jan 2025

Matt Mullenweg’s Lawyers Claim WordPress News Blog Posts “Lack the Characteristics of Typical Fact-Based Documents”

Once you log in to the backend of a WordPress website, one of the things you then you see by default is a widget showing the latest WordPress “News.” What you actually get is very different. Late last year, you would have seen a promotion for the WordPress.com service:

[Read more]

3 Jan 2025

Locking Down Security With WooCommerce Plugins Involves Assessing Its Security, Not Unrelated Things Like When It Was Last Updated

We just soft launched a new option for searching for WordPress plugins. As part of making sure we produced the best tool we can, we revisited another option launched last year, Ploogins, which we mentioned back in September. As part of looking more into that, we ran across a post from the company behind that promoting it, while giving some really bad advice on assessing the security of WooCommerce extending plugins. Here that the most relevant portion:

Locking Down Security

Security is a big deal. A bad plugin can open the door to hackers, malware, and other nasty stuff. Here’s how to keep your site locked tight: [Read more]

20 Dec 2024

Matt Mullenweg Finally Claims on WordPress.org That He Owns It, While Making False Claims About Volunteers and His Legal Problems

Since Matt Mullenweg started trying to extort WP Engine, the issue of who owns and controls the website for WordPress, WordPress.org, has come up again and again. Curiously, Matt Mullenweg has claimed in various locations that he personally owns and controls it, while not disclosing on the website. For example, on September 25 he wrote on the News blog on the website that “What I will tell you is that, pending their legal claims and litigation against WordPress.org,” that was despite there being no legal action threatened against WordPress.org (but was threatened against him). By comparison, in an October 4 story from The Verge, he claimed “WordPress.org just belongs to me personally.” That changed in a post today on the News blog of the WordPress website where he stated “but also me individually as the owner of WordPress.org.”

The About page of the website still reads as if the website is for the WordPress project, instead of his personal website as he claims elsewhere. [Read more]

18 Dec 2024

WordPress Plugin Review Team Security Reviewer Chris Christoff is Failing to Address Vulnerabilities in Awesome Motive’s Plugins

Last week we released an advisory warning people to avoid plugins from Awesome Motive due to repeated inability or unwillingness to fully fix security issues and vulnerabilities in their plugins. One aspect that is so striking about their failure to do that is that Awesome Motive has a chief security officer. How can you have such bad security in that situation? One explanation would be that someone unqualified was simply given that title. We have seen plenty of instances over the years of just such a situation in the security space. A problem with that explanation is that the CSO, Chris Christoff, is the Security Reviewer on the WordPress Plugin Review Team. We don’t know what he actually does on that team, but the team has throughout his tenure shown a lack of ability to properly review the security of plugins (something we tried unsuccessfully to address with Awesome Motive).

After releasing that advisory, we then needed to compile a list of all of Awesome Motive’s plugins so that we could add a warning for them to the various ways our advisory data is distributed. That isn’t exactly easy, as Awesome Motive is notably not upfront on the WordPress Plugin Directory about which plugins are theirs. The team that runs that, the previously mentioned WordPress Plugin Review Team, could address that, but hasn’t. [Read more]

16 Dec 2024

Ars Technica’s Dan Goodin Doesn’t Do Journalism and Instead Makes Up Override Mechanism Existing for WordPress Plugin Directory

As far as we are aware, Ars Technica is considered a reliable news outlet. That is despite having someone covering security, Dan Goodin, who has a long track record of making things up, and generally not doing journal aims. Unlike other “security journalists” who appear to have no academic background, according to his bio he has a Masters of Journalism from UC Berkeley.

In a recent story on a hacking campaign that involves a known problem with the WordPress Plugin Directory, he made this claim: [Read more]

16 Dec 2024

Wordfence and WPScan Falsely Claim Closed WordPress Plugin Contains Serious Vulnerability

We are currently looking in to yet another problem with handling of security by Awesome Motive and the Security Reviewer from the WordPress Plugin Review Team. In doing that, we ran across another example of the incredible sloppy work done by prominent providers of data on vulnerabilities in WordPress plugins.

In January, the WordPress plugin SimpleMap Store Locator was closed on the WordPress Plugin Directory for an unspecified “security issue.” [Read more]

16 Dec 2024

WordPress Plugin Developer Security Advisory: ThemeHunk

One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing their plugins and others get them properly secured when alerted they haven’t done that. A smaller number of plugin developers either are unable or unwilling to properly secure their plugins. With the latter group, among the issues we have seen, are developers who have introduced new serious vulnerabilities that are substantially similar to vulnerabilities that they know have been exploited in their plugins.

In situations where we become aware of developers who have shown that inability or unwillingness to properly secure their plugin, we are releasing advisories to warn customers of our service and the wider WordPress community of the risk of utilizing those developers’ plugins. In addition to checking those posts on our website for information on those advisory, we provide access to the information in several other forms. That includes through the companion plugin for our service, even when not using the service, as well as through a web browser extension and through separate data accessible from our website. [Read more]