Last week we discussed the hiding of pertinent information when WordPress plugins are closed on the Plugin Directory for “security issues” in relation to a plugin named Testimonial Slider. Since that post the support topic that first drew us to that has gotten a response from one of the six member of the team running the Plugin Directory (that person it turns out is also in control of the moderation of the Support Forum):
In a post earlier today we mentioned running across mention of the plugin Testimonial Slider being removed from the Plugin Directory and the cause of that. While doing a bit of checking over the plugin we found another minor vulnerability (and there certainly could be more as the code we looked at isn’t securely written), we just happened across this one while looking for something else.
When it comes to the security of WordPress plugins, the people behind WordPress’ way of handling things is to provide as little information as possible (including not notifying developers that their plugins have publicly disclosed vulnerabilities that they are aware of), which often leaves users of plugins in a bad position. Case in point is a topic that popped up in the monitoring we do of the WordPress Support Forum to keep track of vulnerabilities in WordPress plugins, which reads: