Login

Tag Archives: Responsible Disclosure

14 Apr 2025

Wordfence’s Unethical Behavior Caused Weeks Long Delay in Fix of Serious Vulnerability

Last week, once again, supposed security journalists and security provider Patchstack were spreading misinformation about a vulnerability in a WordPress plugin. They claimed a vulnerability had been exploited hours after it was disclosed. In reality, there were exploit attempts, but no evidence of any exploitation. And that actually happened a day or a week after the vulnerability was disclosed, depending on what you consider as disclosure.

That a plugin from the developer of the plugin had a vulnerability that would receive interest from hackers isn’t a surprise, as it is a developer that has a long track record of poor handling of security. We recommended not using their plugins in January 2024, unless they could show they had gotten a better handle on security. As we noted in January of this year, they clearly hadn’t gotten a better handle on things by then. With this vulnerability, they did fix it the same day they were informed of it. Unfortunately, the vulnerability was fixed weeks after it should have been, as the notification happened weeks after it should have been. That was because an unethical security provider paid the discoverer to not report it to the developer. [Read more]

10 Apr 2023

Wordfence’s Idea of Responsible Disclosure Involves Leaving Very Vulnerable Plugins in WordPress Plugin Directory

A week ago, we wrote about how a WordPress plugin being targeted by a hacker had remained in the WordPress Plugin Directory despite having an unfixed vulnerability that hackers would target. We had noted that the WordPress security provider Wordfence had known about the vulnerability, but hadn’t made sure the plugin was removed. While checking into a claimed vulnerability to add it to our data set, we found another instance of that, which is more troubling.

In February, a Wordfence employee named Chloe Chamberland wrote a strange post on Wordfence’s blog that claimed in the headline, “the WordPress ecosystem is becoming more secure with responsible disclosure becoming More Common”. It is strange because the body of the post never mentions the phrase responsible disclosure or makes any mention of it. Instead, the author seems to be trying to suggest that doing something other than responsible disclosure is responsible disclosure. Responsible disclosure involves notifying a developer of a vulnerability and giving them a chance to resolve it, before notifying anyone else. The post is actually suggesting directing reporting of vulnerabilities in WordPress plugins away from the developers and WordPress: [Read more]

12 Oct 2022

Oracle’s Poor Handling of Security on Display With Its GloriaFood’s Restaurant Menu WordPress Plugin

As discussed in more detail in a separate post, the WordPress security provider Wordfence has been selling information to exploit unfixed vulnerabilities in a WordPress plugin with 10,000+ installs to any hackers willing to pay them $99, while claiming to engage in responsible disclosure. In looking into those vulnerabilities, we found that it isn’t the only company in the security business not looking great here.

The plugin in question doesn’t have a clear name. When installed in WordPress, it is labeled as “Menu – Ordering – Reservations”. On the WordPress Plugin Directory it is either named “Restaurant Menu” or “Restaurant Menu – Food Ordering System – Table Reservation”. Whatever the name is, it comes from GloriaFood, which is part of Oracle. Yes, that Oracle. The multi-billion dollar one. The one with a security business. [Read more]