When do a lot to improve the security of WordPress websites through the work we do on the security of WordPress plugins for our service (in all likelihood we do more than all the other security companies with a WordPress focus combined). Unfortunately what we have found is that people on the WordPress side of things seem more interested in covering up problems related to the security of plugins (and promoting security companies that are making WordPress websites less secure) than actually working with others, like us, to improve them.
In response to part of that problematic behavior, we started full disclosing vulnerabilities in WordPress plugins until such time that the moderators on the WordPress Support Forum stopped acting inappropriately. Through that on January 11 we full disclosed a remote code execution (RCE) vulnerability that has been introduced in to the plugin MailPress, which was closed on the Plugin Directory at the time. We spotted that vulnerability through our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins. As part of our full disclosure process we tried to notify the developer of the issue through the WordPress Support Forum, but that message got deleted by the moderators. You might think that while deleting that they would at least make sure that something was done about the vulnerability, but as we already said, they and others on the WordPress side of things are more interested in covering up problems than fixing them. [Read more]