01 Nov

Full Disclosure of Authenticated XSS Vulnerability in WordPress Plugin With 100,000+ Installs

One of the elements of the inappropriate behavior of the moderators of the WordPress Support Forum that has lead us to¬†full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up has been to delete messages about vulnerabilities in WordPress plugins while doing nothing to get them fixed. We don’t know how they think this is a good idea since it just limits getting things fixed, which is what is the important thing to do about vulnerabilities, while not actually hiding the vulnerabilities.

Sometimes things get even odder, as once again we ran across the moderator¬†Steven Stern (sterndata) delete a topic well after it would even seem to do much, if any, good. The last time we ran across them doing that it probably slowed down getting a vulnerability fixed that was claimed to be being exploited already (but likely wasn’t actually being exploited). If it was really already being exploited then the horse is already well out of the barn and by the time they deleted it, the topic had been up for a couple of days, so others had plenty of time to have seen it, which would make getting it fixed quickly what should have been focused on instead of making that harder. In this instance they deleted a topic on something that isn’t even really a vulnerability, as the developer had explained at the time, over a month after it was posted. What good they think that will do to delete that we don’t know. Before we realized that we had actually seen the earlier claims and concluded there really wasn’t an issue, we went to see what might be at issue with the plugin and found a real vulnerability. So their action is actually causing a real vulnerability to be full disclosed, which is exactly the kind of counterproductive behavior the moderators excel in. [Read more]