On Monday, a serious vulnerability was fixed in the WordPress plugin PublishPress Capabilities, which we detailed for customers on Tuesday (we also warned about less serious vulnerability the same day). On Wednesday, the vulnerability was widely exploited.

That is a situation that could have largely avoided by the WordPress plugin team, if they had automatically updated the plugin before the exploitation happened, instead of after (or by websites enabling WordPress to automatically update plugins). Instead, what WordPress did through the team running their support forum (which is led by one of two people that also control the plugin team), is shutdown and largely deleted the discussion where users were helping other to deal with the hacked websites. [Read more]