Login

Tag Archives: Samuel “Otto” Wood

30 May 2025

Patchstack Now Withholding Misappropriated Information Needed to Secure Plugins in WordPress Plugin Directory From WordPress

Last week, we posted how WordPress had left a known vulnerable WordPress plugin with 100,000+ installs that is being targeted by a hacker in the WordPress Plugin Directory. The plugin continues to be in the plugin directory despite one of the Team Reps for the Plugins Team, David Perez, and the Senior Team member of the team, Samuel (Otto) Wood, being informed of that.

It turns out that there is another party partially responsible for the situation. It is a party that has already been engaged in unethical behavior and things have gotten worse now. [Read more]

15 Jan 2025

Audrey Capital Employee Samuel “Otto” Woods Closed Discussion About WordPress Not Promoting Automattic’s Jetpack Plugin

Last week Automattic, the company from the head of WordPress Matt Mullenweg, announced they were going to contribute less to WordPress. In doing that, they complained that “we’ve observed an imbalance in how contributions to WordPress are distributed across the ecosystem, and it’s time to address this.” The credited author of the post is the Executive Director of WordPress.org. What was left unsaid was how Automattic benefits from WordPress over other companies because of its level of control over the project. We just ran into an instance where an attempt to address that wasn’t allowed predating the current situation with WordPress.

Last week, we wrote about how an Automattic employee who had access to non-public data on what top search terms for the WordPress Plugin Directory and their admission to changing the search algorithm for that to promote Automatic’s Jetpack plugin. That isn’t the only way that Jetpack is promoted in the WordPress Plugin Directory. From the admin interface of WordPress, going to the page to add a new plugin brings up a set of Featured plugins: [Read more]

1 Oct 2024

One of the Moderators of Reddit’s WordPress Forum Doesn’t Want People Know About WordPress’ Missing Conflict of Interest Policy

A fundamental issue with WordPress that has long existed, but hasn’t gotten the level of attention is deserved, is the inherent conflict of interest in Matt Mullenweg’s various roles. He isn’t alone in that. The Executive Director of WordPress “also leads Automattic‘s open source division.” Matt Mullenweg, of course, put that person in the role of Executive Director despite the obvious conflict of interest. Despite her obvious conflict of interest, she was going to produce a conflict of interest policy for WordPress that never was released. A code of ethics was also never released.

Yesterday, someone posted a link to our post about that on the WordPress Subreddit, /r/wordpress/, which was quickly deleted: [Read more]

4 Oct 2022

WordPress is Obfuscating the Connection Between the WordPress Plugin Directory and Automattic

An odd controversy has recently taken up the spotlight in the WordPress plugin developer community, the removal of the Active Install Growth chart from the Advanced View page for plugins in the WordPress Plugin Directory. That chart showed the growth of installs of a plugin over time. This is what that looked like:

[Read more]

25 Apr 2022

WordPress Support Forum Moderator Falsely Claims That There Are Not Plugins With Known Unfixed Vulnerabilities in WordPress Plugin Directory

One of the ways we are able to provide our customers with better information on vulnerabilities in WordPress plugins than our competitors is by monitoring the WordPress Support Forum for topics related to that. In addition to information useful for that, it alerts us to other mentions of security. Through that, we often find the moderators of that forum spreading misinformation to the WordPress community related to security. One such instance of that came over the weekend when a moderator, Yui, wrote this:

Otherwise, please note, there are no plugins with known unfixed vulnerabilities that remain active in WordPress plugin directory. [Read more]

11 Jan 2022

WordPress Plugin Directory Team Fails to Flag Base64 Encoded Code That Creates Backdoor Account

In 2017 there was a very bad situation where the two people running the WordPress Plugin Directory allowed a plugin containing malicious code to return in to the directory twice, only to have malicious code added again each time. Somehow that situation didn’t lead to a shakeup of the team running that, to address the two problematic people who have long controlled that.

In the third instance, part of the code was obfuscated using bae64 encoding. In the comments on a post on the WP Tavern about the situation, there were a couple of comments noting that should have flagged that code: [Read more]