It’s a bad look when a major WordPress security provider is disclosing that one of their own plugins has a serious security issue, which happened six months ago with the developer of iThemes Security. It’s even worse when the code is so insecure, which was also the case with iThemes. Automattic, the company of the head of WordPress Matt Mullenweg, which provides security solutions under brands including WPScan and Jetpack, today fixed a serious vulnerability in one of their plugins. That this happened runs counter to the view we see often that Automattic are security experts, but in line with previous security issues with their software. Unlike the situation with iThemes, though, this isn’t known to be a zero-day (a vulnerability being exploited before the developer knows about it) and doesn’t involve a security failure at such a basic level. It does involve having incredibly insecure code running in a situation that is high risk.

With that said, this situation could be used as impetus to finally move WordPress plugin security to a better place. But first, let’s look at what went wrong here. [Read more]