Automattic

24 Sep 2024

Automattic’s Matt Mullenweg Basically Admitted on Reddit That He Was Trying to Extort WP Engine

After days of WordPress and Automattic head Matt Mullenweg attacking a competitor of Automattic, WP Engine, there was a response from WP Engine as to what was going on here. That came in the form of a cease and desist letter they released yesterday. In that, the legal counsel for WP Engine, Emanuel Quinn, made this stunning set of claims in the second paragraph of their letter:

Stunningly, Automattic’s CEO Matthew Mullenweg threatened that if WP Engine did not agree to pay Automattic – his for-profit entity – a very large sum of money before his September 20th keynote address at the WordCamp US Convention, he was going to embark on a self-described “scorched earth nuclear approach” toward WP Engine within the WordPress community and beyond. When his outrageous financial demands were not met, Mr. Mullenweg carried out his threats by making repeated false claims disparaging WP Engine to its employees, its customers, and the world. Mr. Mullenweg has carried out this wrongful campaign against WP Engine in multiple outlets, including via his keynote address, across several public platforms like X, YouTube, and even on the WordPress.org site, and through the WordPress Admin panel for all WordPress users, including directly targeting WP Engine customers in their own private WordPress instances used to run their online businesses. [Read more]

18 Sep 2024

WordPress Was Going to Have a Conflict of Interest Policy, It Never Was Released

In March 2021, the Executive Director of WordPress announced that she was planning to put forward a Conflict of Interest Policy as part of a larger Contributor Handbook. In April 2022, she announced the release of two sections of the Contributor Handbook and said that in “coming weeks” a Conflict of Interest Policy and other sections would be released. Later that month, she announced another section and again said that in “coming weeks” a Conflict of Interest Policy would be released. In May 2022, she announced another section and again said that in “coming weeks” a Conflict of Interest Policy would be released.

That was the last announcement they made about the Contributor Handbook. The Conflict of Interest Policy and a promised Code of Ethics policy never materialized. We don’t know what happened, but we do know that the Executive Director of WordPress’ own situation seems like a major conflict of interest. [Read more]

17 Sep 2024

Awesome Motive’s 3+ Million Install All in One SEO Plugin Is Tracking Usage Without Consent

The WordPress Plugin Review Team is currently considering restrictions on plugins from automatically installing additional plugins when setting up a plugin. A couple of the major offenders, when it comes to doing that, have chimed in. Unsurprisingly, they are suggesting not stopping that from happening. One of those was the CEO of the not so awesome Awesome Motive. Their automatic installation of additional plugins causes problems for users of Awesome Motive plugins, as well as introducing additional security risk to the websites, as their plugins have had plenty of security vulnerabilities over the years. While looking in to how those players are currently handling that automatic installation, we noticed that a couple of multi-million installs plugins from them are tracking usage without users choosing to opt in, and in the case Awesome Motive’s 3+ Million Install All in One SEO, without disclosing that usage tracking is being enabled.

Here is how the guidelines for the Plugin Directory explain how usage tracking should be handled: [Read more]

11 Sep 2024

WordPress Continues to Fail to Properly Address Malicious Code Loaded on Thousands of Websites

In December 2022, an update was released for the WordPress plugin Bulk Delete Comments, which caused a JavaScript file with malicious code from a website to be loaded on to the admin area of websites using the plugin. That was immediately noticed by users of the plugin. The plugin was subsequently closed on the WordPress Plugin Directory. The plugin was recently reopened without the issue being properly resolved. The situation highlights multiple known problems that are not being addressed by WordPress.

The update that introduced the issue was version 1.4, and that is still the version available now: [Read more]

4 Sep 2024

It’s Very Common For Libraries Used in WordPress Plugins to Not Have a Security Policy on GitHub on How to Report Security Issues

Yesterday, we noted in a post that a third-party library used in a very popular WordPress plugin didn’t have any listed security advisories in its GitHub project despite the developing having acknowledge that a vulnerability had been fixed. What we also noted in passing was that there also wasn’t a security policy provided for the library, which would explain how to report other security issues in the library. You can see that in this screenshot for the library’s Security tab on GitHub:

[Read more]

13 Aug 2024

WordPress Coding Standards is Failing to Warn About Missing Sanitization and Requiring Unnecessary Sanitization

One of the things that our new Plugin Security Scorecard uses to grade the security of WordPress plugins is a subset of the checks from our Plugin Security Checker. The subset is intended to be things that are always a security issue, which should be addressed. While the full set of checks will flag things that could be secure, but often are not secure and need to be checked. That subset involves checking for things you would expect to be issues with certain types of plugins and from certain developers. But the actual results of plugins checked so far tell a different story.

The 5+ million install plugin Wordfence Security has been found to be using “[t]he function filter_input() is used without a filter, so it doesn’t do any filtering.” Similarly, the 100,000+ install Jetpack Protect plugin is found to be using “[t]he function filter_var() is used without a filter, so it doesn’t do any filtering.” That plugin is from Automattic, the company so closely associated with WordPress that it now is not uncommon for WordPress to be seen as an arm of the company. That isn’t the only plugin from Automattic with issues. With the 4+ million install Jetpack and 7+ million install WooCommerce have been found to have both the previously mentioned issues. The threat posed by that would depend on what is done after the filter-less filtering is done, but the filter-less filtering shouldn’t be happening even if there isn’t a larger issue. [Read more]

25 Jun 2024

WooCommerce is Exposing Private Product Information Through Store API

While looking into something related to the now discontinued WooCommerce Blocks plugin from Automattic, we noticed what appeared to be a vulnerability in that. That plugin has long been incorporated into the main WooCommerce plugin and we confirmed the vulnerability exists in the latest version of that plugin. The vulnerability exposes information that isn’t meant to be public about WooCommerce products through the WooCommerce Store API. There are possibly more issues related to that API, as we have only looked into this specific issue so far.

According to the Store API Guiding principles, private data shouldn’t be provided through the API (emphasis theirs): “Store data such as settings (for example, store currency) is permitted in responses, but private or sensitive data must be avoided.” Despite that statement, it doesn’t appear that some basic security reviewing has been done on the code. And it hasn’t been done in years, as the vulnerable code dates back four years. More thoroughly reviewing that needs to be done by Automattic. [Read more]

24 May 2024

CleanTalk Makes Up “Critical” Vulnerability in 100,000+ Install WordPress Plugin

WordPress security providers frequently falsely claim that popular WordPress plugins contain serious vulnerabilities that don’t really exist. One repeat source of those claims is CleanTalk. They recently claimed that the plugin Social Icons Widget & Block by WPZOOM, which has 100,000+ installs, contained “[a] critical security vulnerability” and the “vulnerability exposes websites to the risk of Stored Cross-Site Scripting (XSS) attacks, potentially leading to account takeover and compromising website integrity”. They also claimed that “if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back.” In reality, the “attacker” would already have to have complete control of the website and would already be allowed by WordPress to do what is supposed to be the vulnerability.

One critical element in determining the severity of a vulnerability, or if there is even a vulnerability, is what level of access is needed to exploit it. For example, if you need an account on the website, that would usually stop an attacker from exploiting the vulnerability. What is supposed to be the proof of concept for this lacks clear information to determine what level of access is needed, as it states: [Read more]

13 May 2024

Numerous Security Providers Fail to Catch That WP Engine Didn’t Fix Vulnerability in 100,000+ Install WordPress Plugin

When it comes to the very common occurrence of vulnerabilities in WordPress plugins failing to really be fixed, many providers are often involved in that failure. That is the case with a recently disclosed vulnerability in the 100,000+ install plugin Genesis Blocks.

That plugin comes from WP Engine, which markets itself as having a dedicated security team, though, one that keeps “your website vulnerabilities up to date” instead of fixing them: [Read more]

2 May 2024

Automattic’s WPScan Falsely Claimed that Automattic’s WooCommerce Contained Vulnerability

In January, we looked into a mess caused by the WordPress security provider Wordfence falsely claiming that the plugin WooCommerce had contained a vulnerability. That was caused in part by Wordfence failing to do basic vetting, which they claim to do. Another provider, Patchstack had similarly false claimed that WooCommerce contained that vulnerability. Belatedly, WPScan, which, like WooCommerce, is owned by Automattic, made the same claim. They provided a proof of concept that was supposed to show the exploitation: