Login

Tag Archives: WordPress Plugin Review Team

11 Dec 2023

Hacker Targeted WordPress Plugin Returns to Plugin Directory Without Update For Exploitable Vulnerability

For years, the handling of security of the WordPress Plugin Directory has been rather poor, caused by a multitude of issues. In addition to the problems with their handling of security, there hasn’t been a willingness to work with the community to address that. One of the two problematic long time leaders of that (and two of only four members overall, somehow) left earlier this year. Notably, as they were leaving, a largely new team was brought in by them without the involvement of the community. So far, the new team doesn’t seem to have been reaching out to those actually interested in helping them improve their handling of security. That isn’t because they are now handling things well now, as yet another problematic situation shows.

In October, we wrote about seeing a hacker targeting a WordPress plugin named Dropshipping & Affiliation with Amazon and finding that the plugin was still in the plugin directory despite having a vaguely disclosed serious vulnerability. The plugin was subsequently closed on the plugin directory. [Read more]

5 Jul 2023

Issues With Plugin From New WordPress Plugin Review Team Member Raises Fresh Concern About Team

For years, Mika Epstein has been causing problems for the WordPress community in their role as the head of the WordPress Plugin Review team, which controls the WordPress Plugin Directory. Thankfully, they have now left the team for largely unexplained reasons. Before they did that, they brought in new team members without allowing the WordPress community to be involved in the process. That is in line with the decidedly non open source nature of that team, which hasn’t produced good results in so many ways (one example being vulnerable plugins being pulled and returned without the vulnerabilities being fixed).

As Mika Epstein was leaving, 6 new members of the team were announced. Considering the problems with the existing team’s security reviewer, who remains on the team, we were curious to see if new security expertise was being brought in. Looking over the new team members’ WordPress profiles, we didn’t see any indications of that. But we did run across one of them with a plugin that it was fairly easy to spot as containing vulnerabilities and another concerning issue. [Read more]