Automattic’s WPScan recently claimed there was an admin+ arbitrary file access vulnerability in WPForms Lite. The entry claimed they had verified the vulnerability:
In our monitoring of the WordPress Support Forum for discussions possibly discussing WordPress plugin vulnerabilities, we have recently been seeing a lot of topics involving vague claims coming from the WordPress security provider Wordfence, through their Wordfence Security plugin, that other WordPress plugins contain vulnerabilities. Here is one such message coming from Wordfence, mentioned in a topic:
The Plugin “WP Affiliate Platform” has a security vulnerability.
Type: Plugin Vulnerable
Critical
Details:
Plugin Name: WP Affiliate Platform
Current Plugin Version: 6.3.8 [Read more]
How WordPress security companies market themselves and what they actually deliver are often far apart. Unfortunately, WordPress and security journalists are failing to provide critical coverage that would warn people about what is going on.
As an example of what is happening, take Automattic’s WPScan, which as can be seen by their Twitter banner image, claims that with them with you would “be the first to know about new WordPress vulnerabilities” [Read more]
Companies operating in the WordPress space have to deal with a problematic situation. While WordPress is promoted as an open source community, the head of WordPress, Matt Mullenweg, uses his various entities to exert control and influence over the community to the benefit of his business interests. One of those entities is the news outlet the WP Tavern, which, when covering him, doesn’t disclose it is owned by him and its writers work for him. That lack of disclosure occurred again with a recent story about one of his employees causing WordPress to hide information useful to competing companies .
In the story, it also wasn’t disclosed that one of the quoted sources, Josepha Haden Chomphosy, is an employee of Matt Mulleweg’s company Automattic, instead incompletely describing her as “WordPress Executive Director”. She was quoted saying that there should be a focus on coopetition mindset in terms of data access: [Read more]
The two most recent support forum topics for the 30,000+ install WordPress plugin Kraken.io Image Optimizer are about a claimed security vulnerability in the latest version of the plugin:
The WordPress community is in the midst of a controversy involving a strange, largely unexplained, situation. A chart that used to be shown on the Advanced View page for plugins in the WordPress’ plugin directory was removed. This is an example of that chart:
As detailed in a more technical post, proactive monitoring we do caught a serious vulnerability of a type highly likely to be exploited being introduced in to a WordPress plugin this week. By the install count of the plugin, this wouldn’t be all that notable, as the plugin only has 200+ installs. But the plugin, Create Block Theme, comes directly from WordPress:
An odd controversy has recently taken up the spotlight in the WordPress plugin developer community, the removal of the Active Install Growth chart from the Advanced View page for plugins in the WordPress Plugin Directory. That chart showed the growth of installs of a plugin over time. This is what that looked like:
Earlier in the week, we detailed what looks to be going on with the closure of the popular WordPress security plugin WP Cerber on WordPress’ plugin directory. What seems like it could have started the closure was a claim made by a competing plugin, Wordfence, of a vulnerability in the plugin.
Here is how Wordfence described the issue: [Read more]
The security of plugins that extend the WordPress ecommerce plugin WooCommerce is often poor, something that the developer of WooCommerce, Automattic, hasn’t taken an interest in addressing. Another part of Automattic claims to provide some protection against that, but isn’t delivering that. Automattic’s WPScan is promoted with this claim:
Be the first to know about vulnerabilities affecting your WordPress installation, plugins, and themes. [Read more]
