Forum Replies Created
-
Posts
-
You should be disclosing that Matt Mullenweg owns this website and is the CEO of Automattic when quoting him criticizing a competitor like this.
If Matt Mullenweg wants other companies to participate more, then WordPress needs to finally implement proper governance. Including not allowing Automattic employees to override WordPress teams, as was a reoccurring problem with the Marketing team before it was shut down, and having an Executive Director of WordPress that is employed by the WordPress Foundation instead of Automattic. A good starting point for that would be to release the conflict of interest policy that the Executive Director had said on multiple occasion was going to be released, but never was.
The author of that post and all three people mentioned as providing input are Automattic employees. It likely isn’t helping to reach new people if decision making for WordPress is often among a group of people that work for one company instead of a more diverse group of people.
WordPress had a dedicated marketing team, which was more diverse, and then it was shut down. Why not bring it back?
Considering that Patchstack still hasn’t manged to handle doing basic vetting with their information on supposed WordPress plugin vulnerabilities, they should be putting more focus on that, not less.
What is the source for the claim that Patchstack is the “largest vulnerability intelligence provider in the WordPress ecosystem”?
The changelog for version 1.9.2.2 is missing any mention that there was a security vulnerability fixed. That is a reoccurring issue with Awesome Motive.
One reason why it is important to disclose security fixes in the changelog is so that others vet the changes to make sure they are complete. That clearly wasn’t done by Awesome Motive or Wordfence, as a quick check of the plugin shows it is still missing capability checks on other AJAX accessible functions.
Making this all worse is that the Security Reviewer on the Plugin Review Team is an Awesome Motive employee.
It would be great if you followed up with Awesome Motive and Wordfence on why they didn’t make sure the issue was fully addressed and how they are going to improve to avoid that happening again.
That is the third employee of Automattic to post on the blog of Plugin Review Team in the last year despite not being listed as a member of the team or having been announced to a member of the team. It would be great to get an explanation of what is going on. Especially since the team used to feel it was important to note that no one on the team worked for Automattic.
CVSS severity scores have long been noted by the security industry to not be a reliable measure of the severity of vulnerabilities, and this vulnerability is a good example of that.
With this vulnerability, the attacker would have to have a level of access an untrusted individual rarely would have. So the risk posed by the vulnerability is rather low. The idea that a vulnerability unlikely to be exploited would have almost the highest severity doesn’t make sense.
Or to put it another way, if the vulnerability was exploitable by someone not logged in, it would certainly be widely exploited, but the severity score could increase to 10 from 9.9.
It would help if WordPress security providers stuck to more accurate severity measurements to avoid overstating the risks of vulnerabilities and unnecessarily scaring the WordPress community.
Also, what is the source for the claimed install count of this plugin?
Wordfence’s post on this vulnerability misses a critical element. The vulnerability couldn’t have existed without an unaddressed security issue in the WordPress function maybe_unserialize(): https://www.pluginvulnerabilities.com/2024/08/23/unaddressed-wordpress-security-issue-behind-recent-critical-vulnerability-in-100000-install-plugin/
There has been a solution for that issue since 2015, but WordPress hasn’t implemented it. Implementing that would remove the possibility of a lot of vulnerabilities, as that insecure function is used in lots of plugins, including Wordfence’s own.
Someone purchasing a plugin to put malware is not going to happen.
That has actually already happened.
As long as you don’t have the plugin set to automatically update and the plugin doesn’t make any requests to the abandoned domain, then you should be okay to continue using the plugin for the time being. The worst-case scenario in that situation is that a vulnerability would be found in the plugin and there wouldn’t be an update. But considering how poorly developers respond to security issues in actively supported plugins, that isn’t a big risk. Depending on how long you are considering using the plugin and the security profile of your website, you could get a security review of the plugin done to hold you over.
If you are concerned the plugin might get taken over through the abandoned domain, you can contact the team running the plugin directory at plugins@wordpress.org about that.
Those are great questions, and learning from this situation is something that should happen. From what we have seen from the outside, it looks like the answers can be summed up in large part by WordPress’ lack of proper governance.
A group of people got in charge of the team, who to put it politely, shouldn’t have even been on the team. These were people that were unable to deal with being wrong and unable to understand that they didn’t know everything. They then blocked anyone else from even applying to join the team and refused outside help to address the problems they were creating.
While the problems with the team were very evident, there hasn’t been someone with oversight of the team that others could go to get the problems with the team addressed. So the problems were allowed to continue for years, until, for unclear reasons, the head of the team left. The lack of oversight unfortunately doesn’t look to have changed.
Making the situation worse, those people seem to be protected in the WordPress community, so there was largely silence about the problems. The WP Tavern, for example, has covered the new team multiple times, but ignored the team for years before that despite the ongoing problems being brought to their attention. The same is true for other outlets that cover WordPress. Those trying to civilly raise the issues were criticized for doing that. Bringing up the problems behind the scenes with the companies sponsoring the problematic team members was also ignored. The team members also have controlled the WordPress support forum and shut down attempts to discuss the problems there as well.
Hopefully, things are moving in the right direction now with the new team members, but so far, things are still not in great shape. Earlier this week, we found that a plugin with a publicly known vulnerability likely to be exploited is still available in the plugin directory, despite the company run by the head of WordPress having publicly claimed nearly a month before that the vulnerability existed. If the new team is actually interested in getting things right, working with us and others who have tried to help the team in the past would be an easy way to make things better.
