What makes the terrible moderation of the WordPress Support Forum and unwillingness of the moderators to stop acting inappropriately or resign in the face of how it harms security is that it isn’t like some of them couldn’t be doing something useful instead of their inappropriate behavior. Two of the moderators we have seen acting inappropriately (one of them being in control of the moderation as well) are also part of the six member team that is in charge of the Plugin Directory. That team is failing to do what it claims to be doing, as we keep finding vulnerabilities that should have been caught by the manual security reviews they claim to do of new plugins. It seems entirely possible that these reviews are not even happening, but if they are, we have repeatedly offered to help them avoid this type of situation, to no effect.

Once again in the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities before they are exploited identified a possible PHP object injection vulnerability in a new plugin. That is the type of vulnerability that more advanced hackers will exploit. This time it was in the plugin Ticketrilla: Client. [Read more]