Login

Tag Archives: Mika Epstein

14 Jun 2023

Security Review of Brand New WordPress Plugins Still Failing at Basic Level

When new WordPress plugins are submitted to the WordPress Plugin Directory, they are supposed to go through a review first, which includes checking the security of the plugin:

You will get an automated email telling you about the submission immediately. At that point, someone will manually download and review your code. If we find no issues with the security, documentation, or presentation, your plugin will be approved. If we determine there are issues, you will receive a second email with details explaining what needs to be fixed. [Read more]

21 Apr 2023

XWP Sponsors Major Cause of Avoidable Insecurity of WordPress Plugins While Leaving Vulnerabilities in Their Own Plugin

It would be easy to make significant improvements to the security of WordPress plugins available through the WordPress Plugin Directory, but year after year that hasn’t happened. A lot of the blame for that can be placed on major players in the WordPress space that are funding the current team running the plugin directory, who have blocked improvements from happening.

Two of the four members of the plugin directory team work directly for the head of WordPress, Matt Mullenweg. He also has a for-profit company, Automattic, which creates many conflicts of interest. One serious conflict of interest is that his company sells access to data on vulnerabilities in plugins through WPScan, while the plugin directory team has refused to provide that information. What makes the conflicts of interest stand out more is that the team obfuscates the connection between their members and Auttomatic. [Read more]

28 Sep 2021

Mika Epstein and Samuel “Otto” Woods Block 30,000+ WordPress Websites From Getting Critical Security Update

What continues to be one of the worst aspects of dealing with the security of WordPress plugins is that it would be so easy to get to a much better situation, if not for the people that Matt Mullenweg, the head of WordPress, has empowered to run the WordPress Plugin Directory. There are easy changes that could be made, but don’t happen because of them. One of them has been impacting 30,000+ websites using the plugin WP DSGVO Tools (GDPR).

A Recipe for Bad Results

You can tell that something is very amiss with the team running that directory when you see that there are only claimed to be four people on the team. By comparison, the team running the theme directory has 10 people listed being listed as being Team Representatives and Theme Moderators (presumably there are more people below that level). The theme directory is listed as currently having nearly 9,000 themes, while the plugin directory is listed as having about 59,000 plugins, so you would expect the plugin team to be larger, not smaller. It isn’t for a lack of interest, instead they claim they can’t add more members: [Read more]

17 Sep 2021

WordPress Plugin Directory Team Again Allows Incredibly Insecure Plugin in to Directory Despite Doing “Security Review”

Last week we noted that despite every new WordPress plugins being added to the WordPress Plugin Directory having supposed to have gone through a manual review first, including a security review, plugins that should never be approved are. A possible explanation for that is that there is a fabulist running the team handling the directory, Mika Epstein, who is claiming to do reviews they are not. Fairly prominently on the WordPress website, they claim to have reviewed 46,800 plugins, despite that being hard to believe possible to do as a part-time volunteer:

[Read more]

10 Sep 2021

Does a Fabulist Explain Why The Security Reviews of New WordPress Plugins Are Not Happening?

August 13th the WP Tavern, which is owned by WordPress and Automattic head Matt Mullenweg, published a post written by Sarah Gooding that presented an inaccurate view of the state of the security of WordPress plugins. The post was about a report based in part on data from a security company named WPScan that has been inflating the number of vulnerabilities in WordPress plugins they claim to be aware of. The story didn’t address that inflation, but instead put forward this claim to explain what is actually being caused, at least largely, by that inflation:

Both Wordfence and WPScan claim that the greater number of vulnerabilities reported this year is indicative of the growth of the WordPress ecosystem and a maturing, healthy interest in security. Themes and plugins aren’t getting more insecure over time but rather there are more people interested in discovering and reporting vulnerabilities. [Read more]

13 Aug 2019

WordPress Support Forums Moderators Again Delete Messages Pointing Out Their Behavior is Bad for the WordPress Community

Yesterday we noted how a moderator of the WordPress Support Forum was getting in the way of people looking for help dealing with the exploitation of a fixed vulnerability in the plugin Simple 301 Redirects – Addon – Bulk Uploader. Today, when we went back to the topic that was the source of that post we found that many of replies on that topic, including almost of all the ones we had quoted, had been removed. In total, only 3 of the previous 11 replies remained. Some of those removed pointed out how what the moderator was doing was bad for the WordPress community. The moderators replies were also removed. You can see the replies at that time of previous post here and what is there at this moment here. That is in line with the kind inappropriate behavior by those moderators we have seen for years and had led to us starting a protest against it nearly a year ago.

You can get a better understanding of the mess that is moderation and related poor handling of the Plugin Directory from the message left earlier today by a moderator, Ipstenu (Mika Epstein), who also leads the six person team running the Plugin Directory (with our commentary inserted): [Read more]

21 Mar 2019

Hiding That the Head of the WordPress Plugin Directory Mika Epstein Isn’t Making Much Sense Doesn’t Seem Like Proper Forum Moderation

When it comes to fixing the problems with the handling of the security of WordPress plugins we feel that fixing the moderation of the Support Forum is important since right now the moderation of that is used to cover problems up (it doesn’t seems like that is necessarily all that intentional, but it ends up having that effect anyway). One of the problems being covered up is that people in charge of the Plugin Directory really don’t seem up to the task and seem to be unable to work with others to try improve. As example of that take something from a few days ago that was posted on the Support Forum, but isn’t accessible, but we saw because of an email alert we have related to keeping track of discussions that might relate to plugin vulnerabilities.

Here is a comment from the head of the Plugin Directory, Mika Epstein, related to someone bringing up a “possible vulnerability” in Advanced Contact form 7 DB: [Read more]

17 Dec 2018

WordPress Plugin Directory Team Close Plugin Due to Fake Vulnerability Report

When it comes to inappropriate behavior of the moderators of the WordPress Support forum that has lead to us full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, that inappropriate behavior often has the impact of covering up problems created by those on the WordPress side of things. Whether they are intending to do that to cover up things or not isn’t clear, but the person that appears to be in charge of the moderation, Samuel “Otto” Wood, wears a number of other hats when it comes to WordPress, so there are obvious potential conflict of interest issues. One of the hats he wears is being a member of the six member team running the Plugin Directory, which screwed up in fairly obvious way a few days ago involving plugin CSS & JavaScript Toolbox and then a moderator shut down the possibility of pointing that out.

If you follow our blog you might have seen our post on Friday that mentioned that a false report of a vulnerability in that plugin and quite a few others. We explained the reason they were false as follows: [Read more]

1 Nov 2018

The Head of the Plugin Directory Mika Epstein Seems Like the One Acting Stupidly Here

When it comes to improving the security of WordPress plugins the two things that stand out that are of most need and have been for years, are warning people when they are using vulnerable plugins and for serious vulnerabilities, which are likely to be exploited, putting out fixes if the developer doesn’t. The reason that hasn’t happened isn’t because of say a lack of resources, before we suspended doing it last year due to continued bad behavior by people on the WordPress side of things, we were to a large degree single handedly making sure that plugins in the Plugin Directory with public disclosed unfixed vulnerabilities didn’t remain in it (when we stopped they started piling up in it). We easily could provide fixes for the vulnerabilities that are likely to be exploited as well. Instead, the reason for the lack of doing those things is that the people on the WordPress side, for reasons that don’t make sense, are blocking those things from happening.

When we say they don’t make sense take the head of team running the Plugin Directory Mika Epstein claimed that you shouldn’t even warn about unfixed vulnerabilities even if they are being exploited: [Read more]