13 Aug

WordPress Support Forums Moderators Again Delete Messages Pointing Out Their Behavior is Bad for the WordPress Community

Yesterday we noted how a moderator of the WordPress Support Forum was getting in the way of people looking for help dealing with the exploitation of a fixed vulnerability in the plugin Simple 301 Redirects – Addon – Bulk Uploader. Today, when we went back to the topic that was the source of that post we found that many of replies on that topic, including almost of all the ones we had quoted, had been removed. In total, only 3 of the previous 11 replies remained. Some of those removed pointed out how what the moderator was doing was bad for the WordPress community. The moderators replies were also removed. You can see the replies at that time of previous post here and what is there at this moment here. That is in line with the kind inappropriate behavior by those moderators we have seen for years and had led to us starting a protest against it nearly a year ago.

You can get a better understanding of the mess that is moderation and related poor handling of the Plugin Directory from the message left earlier today by a moderator, Ipstenu (Mika Epstein), who also leads the six person team running the Plugin Directory (with our commentary inserted): [Read more]

12 Aug

WordPress Support Forum Moderator Gets in Way of Users Dealing With Hack of Simple 301 Redirects – Addon – Bulk Uploader

When vulnerabilities in WordPress plugins get exploited a lot of those impacted don’t have a good understanding of what is going on. One example we have seen frequently with recent instances of that is that people get confused in to believing that the version that fixes the vulnerability instead contains malicious code that is causing the result of their website already having been hacked. That seems in part because they don’t understand that the new version doesn’t undo what the hackers have already accomplished. The best approach for people in that situation would be to hire a professionals like us to clean the website, since we can help to explain what is actually going on and make sure the issue has been fully resolved. The next best would be for people to discuss it on the support forum for the plugin, but as has happened with the plugin Simple 301 Redirects – Addon – Bulk Uploader that runs in to the problematic moderators of the WordPress Support Forum.

In a recent topic for the plugin someone asked a reasonable set of questions: [Read more]

17 May

WordPress Support Forum Moderator Jan Dembowski Gets in the Way of People Dealing With Hacks Due to WP Live Chat Support

On Wednesday Sucuri disclosed a settings change vulnerability that leads to a persistent cross-site scripting (XSS) they had discovered in the WordPress plugin WP Live Chat Support after it was partially fixed earlier that day. That same day we warned our customers about that vulnerability. As we noted yesterday morning when disclosing another vulnerability in the plugin, the vulnerabilities they discovered were likely to be exploited soon. Yesterday we had what looked to be a hacker probing for that plugin on our website (and probing for several other plugins), so we expected that it wouldn’t be long until the public reports of it being exploited would crop up.

As of few hours ago a topic on the WordPress Support Forum started up with people discussing that they had been hacked and trying to understand what was going on. Like clockwork the moderators of the Support Forum started causing problems. Numerous replies have been deleted, many of them without any apparent reason, and then the topic was closed. One of the moderators we have frequently seen causing problems (and someone that we are not the only ones to believe they have serious issues, which should probably preclude them from being in that role), explained the closure this way: [Read more]

07 May

WordPress Support Forum Moderators Really Don’t Understand What Disclosure of a Vulnerability Is

One of the strange issues we have seen for years when it comes to the moderators of the WordPress Support Forum is them not understanding at all what disclosing a vulnerability is. That has even occurred with the person that is in charge of the team running the Plugin Directory, who certainly should have understood what is and isn’t disclosure of a vulnerability since they deal with vulnerabilities on a regular basis. That continues to be a problem. The latest instance involved a review of a plugin we mentioned yesterday in the context of people failing to keep their plugins up to date, which would have prevented them from being hacked. One of the reviews we cited part of, reads in full:

DO NOT USE THIS PLUGIN
This plugin left my company website vulnerable to an XSS attack on May 04, 2019 that caused visitors to be redirected to malicious spam websites. The issue was confirmed by multiple people, including WebARX Security. Excerpt from the WebARX writeup: [Read more]

29 Apr

Are Security Journalists Going to Report on WordPress Leaving Tens of Thousands of Websites Vulnerable to Widely Exploited Vulnerability?

One of the ways that we keep track of publicly disclosed vulnerabilities in WordPress plugins for our customers is by monitoring the WordPress Support Forum for relevant messages, over the weekend that notified us to a reply related to the plugin Related Posts:

@anevins but it’s been posted since 2 weeks and a few days ago and there isn’t any news from author. while it’s obvious where the hacker exploited the plugin it should take this long to fix it. [Read more]

22 Apr

WordPress Believes That Leaving Millions Of Installs of Plugins Vulnerable To Publicly Known Vulnerabilities Is “Appropriate Action”

If you want to better understand what is amiss with the moderators of the WordPress Support Forum, which seems to go a long way to explain the inappropriate behavior that led to us starting to full disclose vulnerabilities in plugins and only notify the developer of the plugin about the disclosures through the forum until that is cleaned up, looking at their response to that protest seems instructive.

Back in December we got contacted by one of the moderators on Twitter and they started the conversation with: [Read more]

20 Mar

WordPress Support Forum Moderator Jan Dembowski Falsely Claims That No One Figures Out What Versions of Plugins Are Vulnerable

When it comes to the mess that is the moderation of the WordPress Support Forum that has led to us full disclosing vulnerabilities until it is cleaned up,  one of the most problematic moderators is someone named Jan Dembowski who we frequently run across getting things incredibly wrong (in some cases taking different sides on issue in different instances and each time managing to be on the wrong side). So it wasn’t surprising to see them getting something wrong when it comes to someone looking for help related to the vulnerability in Easy WP SMTP that has been widely exploited. The person looking for help wrote this:

Hi, [Read more]

13 Dec

The Strange Behavior of Moderators of the WordPress Support Continues With Response to Our Protest

When it comes to the inappropriate behavior on the part of the moderators of the WordPress Support Forum that lead to us full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up one thing that stands out is how strange so much of it is. If the moderators were, say, being paid off to delete reviews of plugins you could understand the motive behind it, but with what is going on so much is head scratching. Why would a moderator delete a reply just saying thank you, which is something that we have run across moderators recently as well as years ago. So it probably isn’t surprising that the first direct response from someone on the WordPress side of things to our protest doesn’t even really make sense.

That comes from one of the problematic moderators and starts with this: [Read more]

07 Dec

WordPress Support Forum Moderator Thinks Hiding Security Issues is a Bad and Good Idea at the Same Time

When it comes to the mess that is the moderation of the WordPress Support Forum a central problem is the moderators seem to be unwilling to allow people to discuss things that disagree with their beliefs. So for example last week we mentioned how at first replies were deleted and then a whole topic closed when people put forward the idea that people shouldn’t be left in the dark about closed plugins. The moderator that seems to be at the heart of that was the frequently problematic, Jan Dembowski, who doesn’t believe that even asking about closed plugins is a valid support question (which we still don’t understand).

That same moderator popped up in the email alerts we have for the forum to monitor for discussions about security issues a couple of times in the last week where they seemed to highlight that these moderators are not thinking through what they are saying and doing, which is a big problem when they stop discussions that could help to avoid the unnecessary hacks of WordPress websites due to the poorly thought out actions of the WordPress Plugin Directory team (like occurred recently with plugins WP GDPR compliance and AMP for WP). [Read more]

05 Nov

More of WordPress Support Forum Moderator Jan Dembowski’s Bizarre Handling of People Trying to Deal With Closed Plugins

In protest of the continued inappropriate behavior by the moderators of the WordPress Support Forum just over a month ago we started full disclosing vulnerabilities until the moderation is cleaned up, so far it hasn’t caused them to change their behavior (apparently continuing to act inappropriately is the only thing they seem to care about considering they haven’t even bothered to notify the developers of those vulnerabilities). In the meantime we have continued to run into more examples of them bizarrely getting in the way of the WordPress community.

With one of the moderators we have had run-ins with them acting bizarrely, named Jan Dembowski, we haven’t been alone. [Read more]