On day two of our doing  full disclosures of WordPress plugin vulnerabilities until the  inappropriate handling of the moderation of the WordPress Support Forum is cleaned up we disclosed a couple of easily spottable exploitable vulnerabilities that were in brand new plugins. As we noted then that shouldn’t be happening since there is supposed to be a manual security review as part of larger manual review of new plugins before they are allowed in the Plugin Directory. Either these reviews are not happening, which seems possible (for a number of reasons), or the security review is a failure at a basic level. If it is the latter we have offered to help improve the process, but we have never been taken up on that.

Part of the problem in all this could be that there are only six people on the team that handles everything related to the Plugin Directory, which seems far too low. They have claimed for at least year that there are unexplained technical issues preventing them from being able to bring on more people, which sounds rather odd. For two of the members, though while they don’t seem time to have made sure new plugins don’t introduce those vulnerabilities they do have time to act inappropriately in their role as a moderator of the Support Forum, in some instances in way that gets in the way of actually discussing fixing problems they have allowed to fester. That seems like a good reason for them to resign at least from their role as a moderator. [Read more]