21 May

Being Proactive About the Security of WordPress Plugins You Use Can Pay Off Big Time Down the Road

On Friday we noted that the moderators of the WordPress Support Forum were getting in the way of people trying to discuss dealing with being hacked due to a vulnerability that had been in the plugin WP Live Chat Support. Looking again yesterday showed that has continued. Here is one topic that was closed without explanation why that even happened. With another one, it was closed due to someone mentioning they were using a pro version of the plugin, that is even though the issue the person was bringing up was caused by the vulnerability being exploited, which has nothing to do with a pro version. Someone could have pointed that out to the moderator that closed it, if they hadn’t closed the topic (not surprisingly the problematic moderator there was once again Jan Dembowski).

[Read more]

17 May

WordPress Support Forum Moderator Jan Dembowski Gets in the Way of People Dealing With Hacks Due to WP Live Chat Support

On Wednesday Sucuri disclosed a settings change vulnerability that leads to a persistent cross-site scripting (XSS) they had discovered in the WordPress plugin WP Live Chat Support after it was partially fixed earlier that day. That same day we warned our customers about that vulnerability. As we noted yesterday morning when disclosing another vulnerability in the plugin, the vulnerabilities they discovered were likely to be exploited soon. Yesterday we had what looked to be a hacker probing for that plugin on our website (and probing for several other plugins), so we expected that it wouldn’t be long until the public reports of it being exploited would crop up.

[Read more]

20 Mar

WordPress Support Forum Moderator Jan Dembowski Falsely Claims That No One Figures Out What Versions of Plugins Are Vulnerable

When it comes to the mess that is the moderation of the WordPress Support Forum that has led to us full disclosing vulnerabilities until it is cleaned up,  one of the most problematic moderators is someone named Jan Dembowski who we frequently run across getting things incredibly wrong (in some cases taking different sides on issue in different instances and each time managing to be on the wrong side). So it wasn’t surprising to see them getting something wrong when it comes to someone looking for help related to the vulnerability in Easy WP SMTP that has been widely exploited. The person looking for help wrote this:

[Read more]

07 Dec

WordPress Support Forum Moderator Thinks Hiding Security Issues is a Bad and Good Idea at the Same Time

When it comes to the mess that is the moderation of the WordPress Support Forum a central problem is the moderators seem to be unwilling to allow people to discuss things that disagree with their beliefs. So for example last week we mentioned how at first replies were deleted and then a whole topic closed when people put forward the idea that people shouldn’t be left in the dark about closed plugins. The moderator that seems to be at the heart of that was the frequently problematic, Jan Dembowski, who doesn’t believe that even asking about closed plugins is a valid support question (which we still don’t understand).

[Read more]

30 Nov

Closures of Very Popular WordPress Plugins, Week of November 30

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

[Read more]

05 Nov

More of WordPress Support Forum Moderator Jan Dembowski’s Bizarre Handling of People Trying to Deal With Closed Plugins

In protest of the continued inappropriate behavior by the moderators of the WordPress Support Forum just over a month ago we started full disclosing vulnerabilities until the moderation is cleaned up, so far it hasn’t caused them to change their behavior (apparently continuing to act inappropriately is the only thing they seem to care about considering they haven’t even bothered to notify the developers of those vulnerabilities). In the meantime we have continued to run into more examples of them bizarrely getting in the way of the WordPress community.

[Read more]

17 Oct

Making Sense of WordPress’ Inability To Be Consistent When it Comes To Warning About Insecure Plugins

Last week we discussed the hiding of pertinent information when WordPress plugins are closed on the Plugin Directory for “security issues” in relation to a plugin named Testimonial Slider. Since that post the support topic that first drew us to that has gotten a response from one of the six member of the team running the Plugin Directory (that person it turns out is also in control of the moderation of the Support Forum):

[Read more]

25 Sep

WordPress Support Forum Moderators Stop People from Getting Help So They Can Promote Favored Security Companies

One of the ways that we keep track of vulnerabilities in WordPress plugins for our service is by monitoring the WordPress Support Forum for related topics. What we have seen is that unfortunately that often isn’t place where people with security issues can get real help, instead it used by the moderators of the forum to promote hiring certain security companies. Occasionally we have attempted to provide some help, but that has been severely hampered by the moderators (a situation that apparently has occurred for others as well).

[Read more]