A couple of months ago we discussed Automattic’s concern or lack thereof for the security of WordPress plugins in the context of them causing an insecure plugin from Facebook to be installed on websites using their WooCommerce plugin. A week ago it was announced they had purchased the plugin Zero BS WordPress CRM. After seeing that we started to take a quick look over the security of the plugin, but we didn’t get far in to that before finding the plugin has some obvious security issues.

As one quick example of the insecurity, we found that someone that could get a logged in Administrator to click a link, say one left in a comment on the website, could cause all of the plugin’s data to be deleted, which is pretty big issue for a CRM plugin. So it would appear that Automattic didn’t do security due diligence of the plugin before the purchase, considering if they had, they should have reported the issues to the developer and they should have been fixed by now. [Read more]