On Friday we noted that the moderators of the WordPress Support Forum were getting in the way of people trying to discuss dealing with being hacked due to a vulnerability that had been in the plugin WP Live Chat Support. Looking again yesterday showed that has continued. Here is one topic that was closed without explanation why that even happened. With another one, it was closed due to someone mentioning they were using a pro version of the plugin, that is even though the issue the person was bringing up was caused by the vulnerability being exploited, which has nothing to do with a pro version. Someone could have pointed that out to the moderator that closed it, if they hadn’t closed the topic (not surprisingly the problematic moderator there was once again Jan Dembowski).
On Wednesday Sucuri disclosed a settings change vulnerability that leads to a persistent cross-site scripting (XSS) they had discovered in the WordPress plugin WP Live Chat Support after it was partially fixed earlier that day. That same day we warned our customers about that vulnerability. As we noted yesterday morning when disclosing another vulnerability in the plugin, the vulnerabilities they discovered were likely to be exploited soon. Yesterday we had what looked to be a hacker probing for that plugin on our website (and probing for several other plugins), so we expected that it wouldn’t be long until the public reports of it being exploited would crop up.
As of few hours ago a topic on the WordPress Support Forum started up with people discussing that they had been hacked and trying to understand what was going on. Like clockwork the moderators of the Support Forum started causing problems. Numerous replies have been deleted, many of them without any apparent reason, and then the topic was closed. One of the moderators we have frequently seen causing problems (and someone that we are not the only ones to believe they have serious issues, which should probably preclude them from being in that role), explained the closure this way: [Read more]
When it comes to the mess that is the moderation of the WordPress Support Forum that has led to us full disclosing vulnerabilities until it is cleaned up, one of the most problematic moderators is someone named Jan Dembowski who we frequently run across getting things incredibly wrong (in some cases taking different sides on issue in different instances and each time managing to be on the wrong side). So it wasn’t surprising to see them getting something wrong when it comes to someone looking for help related to the vulnerability in Easy WP SMTP that has been widely exploited. The person looking for help wrote this:
Hi, [Read more]
When it comes to the mess that is the moderation of the WordPress Support Forum a central problem is the moderators seem to be unwilling to allow people to discuss things that disagree with their beliefs. So for example last week we mentioned how at first replies were deleted and then a whole topic closed when people put forward the idea that people shouldn’t be left in the dark about closed plugins. The moderator that seems to be at the heart of that was the frequently problematic, Jan Dembowski, who doesn’t believe that even asking about closed plugins is a valid support question (which we still don’t understand).
That same moderator popped up in the email alerts we have for the forum to monitor for discussions about security issues a couple of times in the last week where they seemed to highlight that these moderators are not thinking through what they are saying and doing, which is a big problem when they stop discussions that could help to avoid the unnecessary hacks of WordPress websites due to the poorly thought out actions of the WordPress Plugin Directory team (like occurred recently with plugins WP GDPR compliance and AMP for WP). [Read more]
While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.
This week three of those plugins were closed and then reopened. One of three was closed due to a vulnerability and another was closed due the security of the plugin, though there doesn’t appear to be any vulnerabilities related to that. That two thirds of those were for security issues is out of line with a broader claim made just today by a member of the team that handles the plugin that claimed that “most of the time when a plugin is delisted, it is not for a security issue.”. [Read more]
In protest of the continued inappropriate behavior by the moderators of the WordPress Support Forum just over a month ago we started full disclosing vulnerabilities until the moderation is cleaned up, so far it hasn’t caused them to change their behavior (apparently continuing to act inappropriately is the only thing they seem to care about considering they haven’t even bothered to notify the developers of those vulnerabilities). In the meantime we have continued to run into more examples of them bizarrely getting in the way of the WordPress community.
With one of the moderators we have had run-ins with them acting bizarrely, named Jan Dembowski, we haven’t been alone. [Read more]
Last week we discussed the hiding of pertinent information when WordPress plugins are closed on the Plugin Directory for “security issues” in relation to a plugin named Testimonial Slider. Since that post the support topic that first drew us to that has gotten a response from one of the six member of the team running the Plugin Directory (that person it turns out is also in control of the moderation of the Support Forum):
Does it matter? It is insecure, and not being updated any longer. [Read more]
When it comes to the inappropriate behavior by the moderators of WordPress Support Forum that has led to us doing full disclosures of WordPress plugin vulnerabilities until that gets cleaned up, it is amazing how much of it is just downright bizarre.
One of the ways that we keep track of vulnerabilities in WordPress plugins for our service is by monitoring the WordPress Support Forum for related topics. What we have seen is that unfortunately that often isn’t place where people with security issues can get real help, instead it used by the moderators of the forum to promote hiring certain security companies. Occasionally we have attempted to provide some help, but that has been severely hampered by the moderators (a situation that apparently has occurred for others as well).