Login

WordPress Plugin Vulnerability News

13 Dec 2024

WPScan Ignores That Security Issue From Website of Their Boss, Matt Mullenweg, Played Vital Role in WordPress Websites Being Hacked

Two days ago, a news story about WordPress websites being hacked was published titled “Hunk Companion WordPress plugin exploited to install vulnerable plugins.” The last part of that is important, but was largely ignored in the story. With the only mention saying that “While investigating a WordPress site infection, WPScan discovered active exploitation of CVE-2024-11972 to install a vulnerable version of WP Query Console.” That plugin was closed on the WordPress Plugin Directory on October 21.

[Read more]

12 Dec 2024

Matt Mullenweg Claims WordPress is Meritocracy Where Ideas Can Be Debated While Banning People Who Disagree With Him

In a post yesterday, we covered that those in charge of WordPress didn’t know how people could appeal being banned from WordPress. That came during a question and answer stream with the new Executive Director of WordPress.org, who wasn’t selected by the community, but is instead was hired by Matt Mullenweg’s company Automattic to have that role. Similarly, the previous person in that role (under the title Executive Director of WordPress) was an Automattic employee in charge of their team that was involved in WordPress. The new Executive Director had so little involvement with WordPress before being named to the role that her account on the website was created the same day she was announced for the role.  Matt Mullenweg didn’t acknowledge their employment with Automattic when announcing them in that role. WordPress is far from a meritocracy.

In a recent article on the “culture of fear” inside WordPress, the banning of community members was mentioned several times, including in this paragraph: [Read more]

11 Dec 2024

WordPress Plugin Developer Security Advisory: Awesome Motive

One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing their plugins and others get them properly secured when alerted they haven’t done that. A smaller number of plugin developers either are unable or unwilling to properly secure their plugins. With the latter group, among the issues we have seen, are developers who have introduced new serious vulnerabilities that are substantially similar to vulnerabilities that they know have been exploited in their plugins.

In situations where we become aware of developers who have shown that inability or unwillingness to properly secure their plugin, we are releasing advisories to warn customers of our service and the wider WordPress community of the risk of utilizing those developers’ plugins. In addition to checking those posts on our website for information on those advisory, we provide access to the information in several other forms. That includes through the companion plugin for our service, even when not using the service, as well as through a web browser extension and through separate data accessible from our website. [Read more]

11 Dec 2024

People in Charge of WordPress Don’t Know How Someone Can Appeal Being Banned from WordPress.org

Recently the new Executive of WordPress.org Mary Hubbard, did a question and answer Zoom stream with Matt Mullenweg. WordPress focused news outlets covered this in a rather unquestioning way (no surprise, considering the general lack of journalism from them). Watching it, her and others inability to answer a question pertinent to what is going on with WordPress, was unsurprising to us, but for those not familiar with the lack of proper governance of WordPress, informative.

At the 25:35 mark in the stream, she reads a question about “long term contributors have been banned, blocked from WordPress.org” that “has significant implications for the employees to contribute to Five for the Future.” She goes on to say that this has come up in recent conversations. She then starts to say there is an appeal process, but then pivots to saying she thought there was one. She then throws it to Felipe Santos, another employee of Automattic, who suggests contacting dpo@wordpress.org. That email address is listed on WordPress.org Privacy page as being what to contact it you “have any questions about our privacy policy or information we hold about you.” He then says: [Read more]

11 Dec 2024

The WordPress Plugin Directory Is Permitting Awesome Motive to Obfuscate Their Connection to WordPress Plugins

As part of our effort to create a better understanding in the WordPress community of the handling of security by the developers of plugins through our new Plugin Security Scorecard, we are trying to collate graded plugins from the same developers. That turns out not to be easy with some of the most prolific developers and it appears intentional on the part of at least one of them.

Awesome Motive doesn’t appear to have a good reputation in the WordPress community. That is to the extent that people are willing to mention their name. There is what could be called a toxic positivity in the WordPress community, where only positive things are allowed to be said. So Awesome Motive is often mentioned without mentioning their name. Here was someone willing to name them when talking about one of their many problematic behaviors. [Read more]

10 Dec 2024

Matt Mullenweg Shuts Down Conversation on Addressing His Employees Abusive Behavior Towards WordPress Community

Recently the new Executive of WordPress.org Mary Hubbard did a question and answer Zoom stream with Matt Mullenweg. WordPress focused news outlets covered this in a rather unquestioning way (no surprise, considering the general lack of journalism from them). Watching it, a question and the lack of an answer stood out that wasn’t covered by those news outlets. Mary Hubbard read this question (at the 30 minute mark of the stream):

I would love to see WordPress and A8C [Automattic] make a move towards more professional communication. Those are rough edges, like Otto and Felipe that sometimes come off as too aggressive of community members. Do you plan on recruiting volunteers with communication experience? [Read more]

10 Dec 2024

WordPress Plugin Security Won’t Improve as Long as Plugin Developers Can Be Irresponsible With Security

When security vulnerabilities are discussed, the term responsible disclosure often comes up. It is a rather perverse term, since responsible disclosure is based on the idea that software developers do not have to be responsible for security. With responsible disclosure, software developers can continually introduce security vulnerabilities in to their software. They are only being irresponsible if they don’t fix vulnerabilities once they are notified of them. Even that is overstating things, as software developers don’t face any long term consequences if they don’t do that. The party that does face potential consequences are those disclosing vulnerabilities if they haven’t done things to someone else’s satisfaction. It is impossible to avoid that because people have incompatible views of responsible disclosure is. For example, we had a developer criticize us for ever disclosing a vulnerability, saying responsible disclosure means only disclosing it to the developer. That runs directly against the disclosure part of responsible disclosure.

Software developer’s responsibilities are put on others in additional ways. We were recently contacted by someone wanting us to provide them with free help dealing with the aftereffects of their website being hacked caused by WordPress plugins from a major WordPress plugin developer. Or more accurately, their belief that the plugins were responsible for the hack. That was despite them paying the plugins’ developer a significant amount for support for those plugins. [Read more]

9 Dec 2024

Wordfence and “News” Outlets Recommend Updating WordPress Plugin to Version Still Known to be Vulnerable

What we see over and over is that WordPress security providers and supposed journalists are focused on getting themselves attention while failing to provide useful information that would make WordPress websites more secure. A recent example involved (once again) Wordfence. As usual, they were using a vulnerability in a plugin to promote themselves:

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as these vulnerabilities pose a significant risk. [Read more]

9 Dec 2024

Automattic Isn’t Sponsoring 3,500 Hours a Week to the Maintenance of WordPress.org

While WordPress is an open source project, there is so much that isn’t open and transparent about it. That includes one team that largely operates anonymously, seemingly to avoid people being able to identify individuals taking harmful actions, and it includes a security team (or teams) where even basic details are mystery. We also still don’t have a clear picture of who is managing and paying for the WordPress website. That is obvious concern with everything that has been happening recently involving Matt Mullenweg’s campaign against WP Engine. One thing we can say with good certainty is that Automattic isn’t sponsoring its employees to spend 3,500 hours a week maintaining that the WordPress website, as some people have been mentioning recently.

The confusion over this seems to be based on a declaration made in the legal case between Automattic/Matt Mullenweg and WP Engine. In the declaration, an Automattic employee stated: [Read more]

9 Dec 2024

The Executive Director of WordPress.org Works For Automattic, Not WordPress

Back in 2019, Matt Mullenweg announced a new role, the Executive Director of WordPress, without disclosing the role was being filled by someone working for his for-profit company Automattic. When that person was brought up after that, it was rarely mentioned that they worked for Automattic, despite the obvious conflict of interest inherent in the situation. That conflict of interest might explain why the WordPress never got its conflict of interest policy, which that person said was coming.

That lack of disclosure continued when Matt Mullenweg announced that person’s replacement, under the slightly changed title, Executive Director of WordPress.org, in October. Considering how clear it has become recently that Matt Mullenweg has been intentionally obscuring the control of WordPress and intermixing of different entities, you might reasonably expect that journalists would be careful about accuracy on things like this. That continues to not be the case. [Read more]