31 Jul

There is a CSRF Vulnerability in a WordPress Plugin with 80,000+ Installs Developed by One of The Six People Running the Plugin Directory

A core problem with the handling of the security issues with WordPress plugins is the team running the Plugin Directory, who have shown themselves not to be up to task of handling the role they are in. Part of that involves an inability to work with others to fix the problems the team are causing. That seems in part due to a belief they have capabilities they don’t. You can get a taste of that from the bio for one of the members that reads in part:

[Read more]

22 Apr

WordPress Believes That Leaving Millions Of Installs of Plugins Vulnerable To Publicly Known Vulnerabilities Is “Appropriate Action”

If you want to better understand what is amiss with the moderators of the WordPress Support Forum, which seems to go a long way to explain the inappropriate behavior that led to us starting to full disclose vulnerabilities in plugins and only notify the developer of the plugin about the disclosures through the forum until that is cleaned up, looking at their response to that protest seems instructive.

[Read more]

16 Apr

Why Is Samuel “Otto” Wood Making Claims About Us That Don’t Match Reality?

When it comes to our full disclosure of vulnerabilities in protest of the continued inappropriate behavior of the WordPress Support Forum moderators we are certainly not above being criticized and any protest should be expected to have critics, but what we have found is that people are frequently criticizing us for things that are not close to true. For example, today during an email conversation with a developer of a plugin who incorrectly believed we had falsely claimed their plugin contained a vulnerability (and threatened to sue us over that) they wrote this in regards to our reason for full disclosing that vulnerability:

[Read more]

15 Apr

Samuel “Otto” Woods Believes That “Magic Wizards” Discover Exploitable Vulnerabilities in WordPress Plugins

When it comes to problems with the moderation of the WordPress Support Forum that led to us beginning to full disclose vulnerabilities until that inappropriate behavior is cleaned up there has been a continuing strange situation where people are mixing up cause and effect, somehow believing that we started our protest because we were banned from the Support Forum for our protest, which obviously makes no sense. The person that seems to at the heart of that mix up is the person in charge of the moderation of the Support Forum, Samuel “Otto” Wood, who also believes that “magic wizards” discover exploitable vulnerabilities in WordPress plugins.

[Read more]

30 Mar

WordPress Plugin Team Paints Target on Exploitable Settings Change Vulnerability That Permits Persistent XSS in Related Posts

When we announced a protest of the continued inappropriate behavior of the WordPress Support Forum moderators, one of the changes we suggested to resolve that was:

[Read more]

30 Nov

Samuel “Otto” Wood Keeps Making it Seem Like He Wants WordPress Websites to Be Unnecessarily Hacked

On October 29th we detailed a vulnerability that had been fixed in the plugin AMP for WP – Accelerated Mobile Pages and started warning our customers if they were using a vulnerable version. What made this problematic was that while there was a fixed version available, since the plugin was closed, people could not use the normal update process in WordPress to update to it (though we were available to help our customers do that).

[Read more]

05 Nov

The WordPress Forum Moderators Keep Bizarrely Deleting Replies Just Saying Thank You

Where we first saw indications that something was very amiss with the moderation of the WordPress Support Forum was when a reply from someone just thanking us for answering a question they had, was deleted. It didn’t make any sense to delete that and went against what people were being told as to the limited circumstances that things would be deleted from the forum:

[Read more]