A core problem with the handling of the security issues with WordPress plugins is the team running the Plugin Directory, who have shown themselves not to be up to task of handling the role they are in. Part of that involves an inability to work with others to fix the problems the team are causing. That seems in part due to a belief they have capabilities they don’t. You can get a taste of that from the bio for one of the members that reads in part:
If you want to better understand what is amiss with the moderators of the WordPress Support Forum, which seems to go a long way to explain the inappropriate behavior that led to us starting to full disclose vulnerabilities in plugins and only notify the developer of the plugin about the disclosures through the forum until that is cleaned up, looking at their response to that protest seems instructive.
When it comes to our full disclosure of vulnerabilities in protest of the continued inappropriate behavior of the WordPress Support Forum moderators we are certainly not above being criticized and any protest should be expected to have critics, but what we have found is that people are frequently criticizing us for things that are not close to true. For example, today during an email conversation with a developer of a plugin who incorrectly believed we had falsely claimed their plugin contained a vulnerability (and threatened to sue us over that) they wrote this in regards to our reason for full disclosing that vulnerability:
When it comes to problems with the moderation of the WordPress Support Forum that led to us beginning to full disclose vulnerabilities until that inappropriate behavior is cleaned up there has been a continuing strange situation where people are mixing up cause and effect, somehow believing that we started our protest because we were banned from the Support Forum for our protest, which obviously makes no sense. The person that seems to at the heart of that mix up is the person in charge of the moderation of the Support Forum, Samuel “Otto” Wood, who also believes that “magic wizards” discover exploitable vulnerabilities in WordPress plugins.
When we announced a protest of the continued inappropriate behavior of the WordPress Support Forum moderators, one of the changes we suggested to resolve that was:
On October 29th we detailed a vulnerability that had been fixed in the plugin AMP for WP – Accelerated Mobile Pages and started warning our customers if they were using a vulnerable version. What made this problematic was that while there was a fixed version available, since the plugin was closed, people could not use the normal update process in WordPress to update to it (though we were available to help our customers do that).
Where we first saw indications that something was very amiss with the moderation of the WordPress Support Forum was when a reply from someone just thanking us for answering a question they had, was deleted. It didn’t make any sense to delete that and went against what people were being told as to the limited circumstances that things would be deleted from the forum: