PluginVulnerabilities.com is Protesting WordPress.org Support Forum Moderators by Publishing Zero-Day Vulnerabilities

image credit: Jason Blackeye

A security service called Plugin Vulnerabilities, founded by John Grillot, is taking a vigilante approach to addressing grievances against WordPress.org support forum moderators. The company is protesting the moderators’ actions by publishing zero-day vulnerabilities (those for which no patch has been issued) and then attempting to contact the plugin author via the WordPress.org support forums:

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).

In the linked incidents cited above, Grillot claims that moderators have deleted his comments, covered up security issues instead of trying to fix them, and promoted certain security companies for fixing hacked sites, among other complaints.

In response, Plugin Vulnerabilities has published a string of vulnerabilities with full disclosure since initiating the protest in September 2018. These posts detail the exact location of the vulnerabilities in the code, along with a proof of concept. The posts are followed up with an attempt to notify the developer through the WordPress.org support forum.

Grillot said he hopes to return to Plugin Vulnerabilities’ previous policy of responsible disclosure but will not end the protest until WordPress.org support forum moderators comply with the list of what he outlined as “appropriate behavior.”

WordPress’ security leadership is currently going through a transitional period after Aaron Campbell, head of WordPress Ecosystem at GoDaddy, stepped down from his position as head of security in December 2018. Automattic Technical Account Engineer Jake Spurlock is coordinating releases while the next person to wrangle the team is selected. This announcement was made in the #security channel, but Josepha Haden said there are plans for a more public post soon. Campbell did wish to publish the details of why he stepped down but said that he thinks it is important to rotate that role and that “the added influx of fresh energy in that position is really healthy.”

When asked about the Plugin Vulnerabilities’ protest against WordPress.org, Spurlock referenced the Responsible Disclosure guidelines on WordPress’ Hackerone profile. It includes the following recommendation regarding publishing vulnerabilities:

Give us a reasonable time to correct the issue before making any information public. We care deeply about security, but as an open-source project, our team is mostly comprised of volunteers.

Spurlock said that since those guidelines are more pertinent to core, dealing with third-party plugins is a trickier scenario. Ideally, the plugin author would be notified first, so they can work with the plugins team to push updates and remove old versions that may contain those vulnerabilities.

“The WordPress open-source project is always looking for responsible disclosure of security vulnerabilities,” Spurlock said. “We have a process for disclosing for plugins and for core. Neither of theses processes include posting 0-day exploits.”

Grillot did not respond to our request for comment, but the company’s recent blog posts contend that following responsible disclosure in the past would sometimes lead to vulnerabilities being “covered up,” and even at times cause them to go unfixed.

WordPress.org support forum moderators do not permit people to report vulnerabilities on the support forums or to engage in discussion regarding vulnerabilities that remain unfixed. The preferred avenue for reporting is to email plugins@wordpress.org so the plugins team can work with authors to patch plugins in a timely way.

However, in the wild west world of plugins, which includes more than 55,000 hosted on WordPress.org, there are times when responsible disclosure falls apart and occasionally fails users. Responsible disclosure is not a perfect policy, but overall it tends to work better than the alternative. The Plugin Vulnerabilities service even states that they intend to return to responsible disclosure after the protest, essentially recognizing that this policy is the best way to coexist with others in the plugin ecosystem.

In the meantime, publishing zero-day vulnerabilities exposes sites to potential attacks if the plugin author is not immediately available to write a patch. The only thing WordPress.org can do is remove the plugin temporarily until a fix can be released. This measure protects new users from downloading vulnerable software but does nothing for users who already have the plugin active. If site owners are going to protect themselves by disabling it until there is a fix, they need to know that the plugin is vulnerable.

Plugin Vulnerabilities’ controversial protest, which some might even call unethical, may not be the most inspired catalyst for improving WordPress.org’s approach to security. It is a symptom of a larger issue. WordPress needs strong, visible security leadership and a team with dedicated resources for improving the plugin ecosystem. Plugin authors need a better notification system for advising users of important security updates inside the WordPress admin. Most users are not subscribed to industry blogs and security services – they depend on WordPress to let them know when an update is important. Refining the infrastructure available to plugin developers and creating a more streamlined security flow is critical for repairing the plugin ecosystem’s reputation.

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let's discuss your ideas.

56 Comments


  1. What they said is different from what they acted.

    I have a plugin Meta Box that once had a security problem. And the ones who contacted me and asked for fix is Otto and Mika from wordpress.org!

    There were no forum posts, no emails, no contact messages from PluginVulnerabilities while they expose the security bug with exploit code on their website. Not once, but twice!

    Security is a big problem, and exposing it to public should be done with consideration. Because bad people can use them to deface others’ websites.

    I didn’t know what they thought when they did that. They reacted (I mean exposing) to the problem very quickly, just a few hours (or maybe just a day) after the bug was known. And they didn’t notify me, instead of that, they published a post/report on their website.

    So, sorry, I won’t use their service. And I don’t give them a trust.

    I think wordpress.org moderators have reason to do so. At least, they protect WordPress users from being hacked. And I’m sure they notify plugin authors to fix bugs before it’s too late.

    Report

    Reply

    1. We always leave a message on the Support Forum of the plugin after we do the full disclosure, so the moderators are the ones that made it so you couldn’t see that. They could allow those to be shown or just stop acting inappropriately and this would end, we hope they finally do that. It seems unlikely that we would be lying about leaving those messages considering that the head of the moderation team has made a big deal of how we create new accounts each time we do that.

      When you got contacted by the members of the team running the Plugin Directory that was in all likelihood due to them seeing our message, since they can see moderated or deleted messages, and someone is visiting our website from those on a regular basis.

      Report

      Reply

      1. Playing devils advocate here. It seems like an easy excuse to use claiming moderators blocked your forum posts to plugin authors since there’s no real way to either confirm or deny a post was even made to begin with ( in this case ). You saying that it would be unlikely that you would be lying also isn’t reassuring.

        Creating multiple accounts on a forum usually comes with some kind of malicious intent which is why most forums I’ve seen either force users to merge duplicate accounts or block additional accounts from being made under the same user. Forum moderators disallowing users from creating multiple accounts is hardly unheard of behavior and well within their authority to keep forums troll free.

        From my perspective based on replies and reading the blog posts it seems there’s a lot of assumptions and speculations are being made. Makes me believe we don’t have a full view of the picture quite yet.

        Report


      2. @Alex, I will confirm with 100% certainty that yes, indeed, their posts to the forums are being blocked.

        The way they have been “protesting” is simple. They find an issue, and instead of contacting the plugin authors, or emailing the plugins team (we can always contact authors directly), they post it publicly, and then create an account using a throwaway email, then attempt to post a link to their site’s post to the forums.

        That attempt is instantly blocked, and the moderators forward it to the plugins team, where we take appropriate action.

        The forums are not a correct way to contact plugin authors about security vulnerabilities. We have been working around their actions for about 8 months now. They simply are choosing to email the plugins team in the most roundabout possible way, at this point.

        Report


      3. What an utterly stupid way to handle this. Why on earth would you do something as daft as post a security flaw in the forum? It’s not hard to contact the plugin author privately, so that they can fix the problem themself. If they refuse or are uncontactable, then contact WordPress.org, and if still nothing happens, well then you can publish the flaw since clearly no one is going to fix it. Publishing exploits like this just makes you look like a jerk and hurts the users of those plugins.

        Report


      4. CC @Otto, I think he should be banned for a life time from WP.org forums.

        Report


      5. @Alex
        If you don’t have a full picture that it isn’t due to anything on our part, we have been honest here; even the person at the heart of the problem has admitted that we were not lying about trying to notify the developers. But why would we have lied about that anyway, what even would be the purpose to claim that we are trying to notify the developers when are not?

        Report


      6. @Otto

        That attempt is instantly blocked, and the moderators forward it to the plugins team, where we take appropriate action.

        Except that you are often not doing that, considering that there are currently plugins with millions of installs that have not been removed from the Plugin Directory and haven’t been fixed despite you knowing they contain vulnerabilities because of our messages. That includes one that we specifically mentioned to a moderator back in December was already in all likelihood being exploited when he also made the claim you are now making about taking appropriate action. With another plugin with 400,000+ installs, where we have seen hackers probing for usage of it, it has now been over two weeks without the vulnerability being fixed or the plugin being removed.

        This seems to be a common problem, you think that you are doing a better job at things then you really are. Then, seemingly not intentionally, the moderation of the Support Forum is used to cover up those types of failures, so they fester, which is the kind of thing that led to our protest in the first place.

        What would be best here would be for you to clean up the moderation of the Support Forum and then work with us and or the others out there that have tried to help you to fix the problems you and the rest of the Plugin Directory team are causing.

        Report


      7. Except that you are often not doing that

        John, the fact that you don’t understand what “appropriate action” is, well, that is kind of the whole problem here. Maybe try listening to what literally everybody else is telling you, instead of trying to attack us yet again.

        Also, why do you continue to use the phrase “clean up the moderation”? That phrase has no meaning. Nothing is going to happen with the moderation. The moderators have moderated correctly, by blocking your posts. Repeatedly. For many months. They’re doing their jobs. You’re the problem, not them.

        Report


  2. There does appear to be an odd promotion within the WordPress.org forums toward a particular malware cleanup company.

    Why the wordpress.org forum so openly promotes commercial services is a bit troubling to me as well.

    I have to imagine that the promotion of commercial companies to clean up hacked websites is in goodwill, but still seems to cross the line. Am I the only one who feels this…

    Report

    Reply

    1. You could’ve just called a name…

      Is it Sucuri, Wordfence or iThemes?

      Report

      Reply

  3. As a plugin author who had a vulnerability disclosed by plugin vulnerabilities, I can say I received no warning from them via any support forum whatsoever. I only knew when my repo page was closed. Fortunately a patch was ready within minutes, but that is not the case for many plugin developer teams. This protest is in bad faith run by a disgruntled researcher. There has to be a better solution to protect users and developers alike that doesn’t involve destroying plugin reputations and exposing websites to attack.

    Report

    Reply

    1. Yep, me too. My plugin was reviewed on their site and exposed with a concept. NO warning or good faith to contact me. Just a post promoting their own protest and temper tantrum. “WordPress, change your ways I will be as dangerous as I can be…”. Yes, I used the word “dangerous”. It is absolutely DANGEROUS to provide hackers with the information they are looking for. But, anything to get their way, right? #childish #petty #crazy #nothingbettertodo

      Report

      Reply

      1. It should be noted that you actually even have an issue with responsible disclosure, as you want us to remove our post about the vulnerability in your plugin since it has been fixed. That occurred after you had threatened to sue us to get the post removed because you falsely claimed there wasn’t a vulnerability at all. With responsible or reasonable disclosure (which is what we actually did before, not responsible disclosure, and would like to return to) the details would be released after you had a chance to fix it, so you seem to be actually interested in covering up that your plugin contained a vulnerability due its very poor security. What you appear to be engage in, especially with the legal threats, is the sort of thing that causes people to do full disclosure in the first place.

        Report


  4. John Grillot is a troll, pure and simple. He does not care that sites are infected using the proof of concept that he posts, some within hours of the posting. He does not care that visitors to those sites are infected or redirected. John is the equivalent of a 3 year old throwing a tantrum in the supermarket because he can’t get what he wants.

    Just follow the rules and there isn’t an issue. The difference between what he is doing now and what he did to get kicked of the forums is that before he posted this stuff in the forums and was pissy when asked not to do that.

    The system isn’t perfect and WordPress is trying to make it better but people that complain and moan about not getting their way and harassing volunteers isn’t an incentive for those same volunteers to want to help you in any way.

    Report

    Reply

    1. What you are saying doesn’t make sense. What got us “kicked of the forums” was us leaving messages letting developers know that we had full disclosed vulnerabilities in their plugins as part of our protest of the continued inappropriate behavior of the moderators. We had never done that before since we were not doing the protest/full disclosure before then. We were not “pissy” about that (since we are not a “3 year old throwing a tantrum in the supermarket because he can’t get what he wants”) and it isn’t like we didn’t expect to be banned since we are engaged in a protest against the moderators inappropriate behavior.

      Seeing as we were “kicked of the forums” for our protest, we haven’t changed what we are doing since getting “kicked of the forums” since our protest is what got us “kicked of the forums” . We don’t know why people continually make up claims like this instead of being able to address what is actually occurring. If you want to criticize us, we are certainly fair game, but don’t do it with made up stuff like that.

      What we have seen for years is that the WordPress Plugin Directory team are the ones holding back improvements. They haven’t shown a willingness to even discuss fixing problems, instead doing things like shutting down topics on forum and deleting messages that bring up problems with their handling of problems. That is part of what led to our protest. We, for example, have long offered to help them with improving the security reviews of new plugins, which are missing easy to spot serious vulnerabilities, and we have offered to provide fixes for vulnerabilities in plugins when they are likely to be exploited and where the developer isn’t releasing one, so far they have shown no interest in either of those things. The best outcome here would be for the moderation to be cleaned up and the team running the Plugin Directory to agree to work with us and others that have shown an interest in helping them get the problems they are causing, fixed up.

      The person that runs the moderation of the Support Forum (and is one of six members of the team running the Plugin Directory) isn’t a volunteer, he works directly for Matt Mullenweg, even though he really should be an employee of the WordPress Foundation.

      Report

      Reply

    1. Exposing vulnerabilities in such a public, detailed way, is like a doctor giving cancer a fighting chance.

      I make no comment upon what I think of pluginvulnerabilities.com’s practice (I don’t think my opinion is important), but you don’t understand the root problem.

      Closing plugins on the wordpress.org directory is like sticking up a “Hey, something here potentially of interest!” flag. Black hat hackers see that flag, and have the skills to investigate, and, if the plugin is vulnerable, exploit it on peoples’ sites. But the same information is not available to end-users (because the directory doesn’t provide it when they close the plugin) – even if the plugin remains closed for a long time. Site owners can’t evaluate whether they are vulnerable in their particular install, or not – and so, they can’t decide what to do about it, and how quickly they need to move to do so. They can’t make an informed decision on how to spend their limited resources of time and money.

      i.e. People with the motivation to do bad things know in detail why a plugin was closed and what they can gain from it…. but actual users of the plugin don’t know why. They can’t evaluate what they might lose by it and how best to respond. That’s a problematic situation.

      Report

      Reply

      1. @David, you have a valid point, but you’re assuming that every security issue gets the plugin closed. Not the case. The majority of closings are actually split between guideline violations, and author requests. Security issues are much less, and sometimes we don’t close for minor issues that can be fixed quickly.

        We have a bit of experience at this sort of thing. The best response to a security issue is one that gets fixed and you never notice, and neither do the bad guys.

        Report


      2. @Otto
        Real world experience shows that things often don’t work that way and that you are failing to take appropriate action to deal with what really happens. Take the plugin Form Lightbox, where a hacker found and exploited a vulnerability. That was never fixed and 17 months later there were still 6,000 websites using the plugin despite being known to be vulnerable. When we tried to address the issue of unfixed vulnerabilities in the context of that plugin with you on the forum, our reply was deleted.

        While the team running the Plugin Directory should have a capability to fix vulnerabilities like that, we have offered to provide the fixes as well, so there is no reason there should be situations like that where an exploited vulnerability isn’t quickly fixed.

        Report


      3. When we tried to address the issue of unfixed vulnerabilities in the context of that plugin with you on the forum, our reply was deleted

        Yes. Correctly so. We do not allow posts about vulnerabilities on the forums. I can repeat this until I’m blue in the face, but for you, apparently that message does not get through.

        Don’t post such things on the forums. Period. Ever. For any reason. That is *not allowed*. I’ve told you that *hundreds of times* now. The support forums are not for those posts.

        I don’t know what other way to say it, so you eventually got banned. Not even by me, although I do agree with the decision.

        Report


  5. This is a reckless form of protest, knowingly putting innumerable websites at risk, potentially costing site owners hard earned cash to fix.

    Why would anyone use this company after a stunt like this? It’s very nearly a direct move to create more customers for his business.

    Report

    Reply

  6. The Plugins Vulnerabilities is run under White Fir Design (terrible website). Anyway, they are out of Greenwood Village, CO. I have already contacted a lawyer in the Denver area (I live in Highlands Ranch, so just outskirts). Her name is Kassandra Kirsch. You can give her a call if you believe you have customers that were affected by Plugins Vulnerabilities wreck-less release of “concepts”. Their irresponsibility can be subject to legal consequence and since they are in CO, they fall inside of Kassandra’s practiced jurisdiction.

    Please call her at (303) 228-2165 if you feel that your customers were targeted as a result of their irresponsible posts.

    Report

    Reply

    1. It should be noted that you actually even have an issue with responsible disclosure, as you want us to remove our post about the vulnerability in your plugin since it has been fixed. That occurred after you had threatened to sue us to get the post removed because you falsely claimed there wasn’t a vulnerability at all. With responsible or reasonable disclosure (which is what we actually did before, not responsible disclosure, and would like to return to) the details would be released after you had a chance to fix it, so you seem to be actually interested in covering up that your plugin contained a vulnerability due its very poor security. What you appear to be engage in, especially with the legal threats, is the sort of thing that causes people to do full disclosure in the first place.

      Also, you misspelled the name of the lawyer you mentioned.

      Report

      Reply

    2. Firstly there is no way this behaviour from John Grillot is illegal. To suggest so is stupid and not in good faith.

      That being said this behaviour is immoral. Plugin authors are not hard to contact privately. And once contacted most have no issue patching the vulnerability.

      If it is not patched promptly by all means publicise the fact, and by all means publicise the fact you identified the issue once the patch has been done.

      But publicising immediately is the definition of selfish shabby behaviour.

      Report

      Reply

    3. That’s low. Regardless of what you think of this protest, punishing someone with the legal process (and if you’ve ever been served or hauled into court, you will know being forced to defend yourself is a punishment, financially and otherwise) is not an equal response.

      Report

      Reply

      1. A_Bad_Taste,

        And what would you call what he is doing? Exposing vulnerabilties on innocent people’s websites. You know that info from my plugin may not be much, typically just non-important items. But, there are much higher value targets in a database. If you really care and want to help make the WP community safe, then why would you show a blue print on how to hack someone’s website? We have fixed this issue. Did so in hours. However, just like all of us know, it takes time for users to actually update. Even though we did a support thread on our WP repo, as well as an email to all of our licensed users; only 15% of them are updated. That mean, 85% of our customers are at risk. And for what? All because of a protest? You can protest, but you can’t throw people in harms way while you are at it. His actions are dangerous. So I ask you, what do you think of what he is doing?

        Report


      2. @Chuck
        What seems to be missing from your thought process is that there wouldn’t have even been a vulnerability that we could full disclose if you had properly secured your plugin. The vulnerability was in your plugin for almost two years, so hackers had plenty of time that they could have exploited it before we happened to run across it.

        Curiously you claim there was security audit that found the vulnerability, but what we did there wasn’t a security audit. Getting an actual security audit would be a good idea.

        Report


  7. Sounds like somebody’s trying to get some free advertising for their plugin vulnerability reporting tool.

    Shame on you PV!

    Report

    Reply

    1. We are not looking for free advertising, we simply want the moderation of the Support Forum cleaned up and we don’t know how we can make that more clear. It would be easy to prove us wrong if that isn’t true, since if the moderation was cleaned up and we didn’t stop it would prove we were lying.

      Report

      Reply

      1. The very basis of your ‘solution’ is a database of vulnerabilities, which is contrary to proper reporting practices.

        If I’m a hacker, where could I turn to quickly determine what plugin vulnerabilities are available to me?

        Report


      2. How is a database of vulnerabilities “contrary to proper reporting practices”? Lots of sites maintain a database of vulnerabilities, e.g., WPScan, ThreatPress. Even Automattic has one.

        Report


  8. WordPress.org is doing just fine. Been doing great for many years now. I trust the WordPress.org team completely, they have established a long, solid reputation, as evidenced by the sheer number of people and businesses (like what, a third of the entire Internet) that use the software and plugins, themes. Pretty solid evidence that WP is doing it right.

    This sudden kerfuffle is nonsense, and obviously staged by a few bad actors. Don’t take the bait: it’s classic problem/solution tactics. There isn’t a problem. So no “solution” is required. Don’t take the bait.

    Report

    Reply

    1. There clearly are problems, since if there were not problems, there wouldn’t be any vulnerabilities in plugins in the first place.

      If you look at what happened in the past couple of months with the plugin WP Easy SMTP and the Freemius library used in many plugins, hackers are finding vulnerabilities on their own and exploiting them. With the latter issue, there are still fairly popular plugins that haven’t been fixed and remain in the Plugin Directory nearly two months on.

      Report

      Reply

  9. I don’t doubt there are real issues. But from the reading of the blog post, the list of “demands” ( none of which seem to go to improving the supposedly underlying issues ), the homepage of there website and other blog posts, this all seems overly personal and conspiratorial.

    Report

    Reply

  10. Dragging individual names into a public attack is risky. Those who could and might help may be apprehensive to collaborate for fear of being doxed in the future.

    It’s worth pointing out the PluginsVulenerabilities author hasn’t published their name and identity in the posts, on the site, or Twitter.

    Hiding behind a “handle” anonymizes who they are while allowing them to trash the reputation of others.

    This behavior shouldn’t sit well with anyone.

    Report

    Reply

    1. We are a service provider, not a person, so that isn’t a “handle”, it is the name of the service (but there is space between the words), so anyone can “trash” our reputation just as easily. There are plenty of people “trashing” us here without issue.

      Report

      Reply

      1. You’ve intentionally dismissed my argument (whoever you are). You are in fact a person or a group of people.

        Nowhere on your website is there a single listing of who’s speaking on behalf of your organization. No individuals to hold accountable.

        By contrast, when Wordfence, Securi, Site Lock, WP Tavern post articles reporting issues those who researched the story are clearly indicated and can be personally held accountable.

        Report


    2. Joseph Dickson,

      I am going to share this with you because it should pass the moderation review as it is 100% purely public information:

      Secretary of State Registration

      If you do a who is search on their domain you will get this:

      https://snag.gy/sbwmUQ.jpg

      Which matches up with their SOS filing and their footer company “White Fir Design”.

      Then, if you go to WFD website here:

      https://www.whitefirdesign.com/blog/

      You see a link and advertisement right on the right hand side for their plugin security service. That, btw, after anybody reading the internet would not buy. Their marketing is going to go down the drain because they don’t have a single like on any post in this thread, and they don’t have a single article on the web in favor of them. The guy is a loose canon. He has been losing it since 2016 (earliest verifiable) and I think it is finally coming to a head.

      So, use this info in the best way you see fit. We provided Cassandra Kirsch’s info in a post above, but again, that info is:

      https://www.cmklawoffice.com/

      Cassandra Kirsch: (303) 228-2165

      Report

      Reply

      1. You should contact Cassandra Kirsch to sue WordPress.org if anyone has to be sued. WordPress.org is the supplier of plugins with vulns to the public. (John has stated that there is a plugin with 4000+ active installations on wp.org which he has sent messages about and Otto confirmed the message.)

        Now long story short (and a real fix to the issue), wp.org should have a report a vuln or report a security issue button on each plugin which should send a private message that can be seen by both sender, reciever (plugin developer) and the moderators. If the plugin isn’t fixed within a given period of time then the plugin should be removed from the repository.

        Anyone suggesting that John or Plugin Vulnerabilities should have contacted the plugin authors directly are wrong. How do you know that the given plugins didn’t have those malicious codes or vulns in them wasn’t on purpose or with bad intent? Moreover, the credit has to be given to the person or the team that have found the vuln or malicious code. The main reason I’m stating this way is that neither John nor others would be aware of the plugin if it wasn’t for wp.org repo. Now, people like John are reporting security issues and all those reports have to be “recorded” and credited on each instance.

        Grow up fellas. Work to find solutions instead of non-stop continuous bickering.

        Report


  11. The guy behind plugin vulnerabilities is very annoying and unpleasant. I just can’t read his blog posts. He’s blaming all others (Sucuri, WPVULNDB, WordFence, ThreatPress, etc) except his so called service. His marketing strategy is based on blaming others and some kind of psychological warfare. He’s also picking tricky keywords. I’m really really surprised that WPTavern covered his blog. He doesn’t respect others. I’m not talking about this case, but if you read his blog posts about Sucuri, Defiant, Automattic, Mullenweg, and so on… I think he has serious problems. I’m not surprised by such crazy protesting by him, all he wants is Promotion for his so called service and now he got it, from WPTavern.

    Report

    Reply

    1. Just wanted to share something I found https://medium.com/@xorloop/wordpress-security-researcher-gone-rogue-a76484ed0fc9 I think it would be worth to edit the whole post and include some more info about this crazy guy.
      Some facts:
      1) Putting 160K websites+ at risk so far (many of them got hacked).
      2) Already created 100+ fake accounts in order to try to bypass the moderation of WP.org forums.
      3) Blackmailing WordPress support forums.
      4) Criticizing every other security vendor.

      Does this increase faith in their company? They seem to have been completely blinded.

      Report

      Reply

      1. That post shouldn’t increase faith in us, since it is filled with falsehoods and written by someone that seems to have no idea what they are talking about, as an example it claims:

        Since pluginvulnerabilities.com is not agreeing to the rules of WordPress support forums and their fake accounts are being banned, they decided to start blackmailing WordPress.org.

        They demand WordPress.org to “clean up the moderation” or they will continue to undermine the security of the WordPress ecosystem by disclosing plugin security vulnerabilities to hackers without reaching out to developers first.

        We got banned from the forum for our protest, so our protest couldn’t be in response to us being banned as they are claiming there, since that happened after the protest started, not before.

        As for you claim that:

        His marketing strategy is based on blaming others and some kind of psychological warfare. He’s also picking tricky keywords.

        This makes you sound more like the crazy person here than us.

        Report


      2. Plugin Vulnerabilities,

        Most of the first paragraph on your site – your First Impression for visitors & potential customers – is spent alleging what amounts to a legal conspiracy at the WordPress company. If true, WordPress would be a major criminal enterprise at the national, and even global level.

        Then you wrap up the first paragraph by broadening your allegations to include that “the rest of the security industry” is in collusion with the WordPress conspiracy. If true, then our main protection against malware, is on the take and unable to fillfil their mission.

        We are all aware that Russia consprired to influence the 2016 American Presidential election. Collusion with them has been alleged. And you think similar types of misconduct are being perpetrated by WordPress, and the whole security industry (excepting Plugin Vulnerabilities) is colluding with them.

        This is quite a presentation.

        Report


    2. I approve of WPTavern covering PluginVulnerability blog posts, insofar as they’re only Breaking All The Rules That Will Bend.

      Look at the social/cultural problems currently being experienced at other leading digital enterprises, and you’re looking in part at the side-effects of eliminating:

      … very annoying and unpleasant … psychological warfare … tricky keywords … serious [personal] problems …

      Roman Generals returning in Triumphal Procession hired personalities like this [also seen on the nightly MSM offerings!] to insult & defame them to the crowds. As WordPress moves further into dominance, the hubris-problem steadily grows.

      … But other’n that, Hugo, I couldn’t have said it better!

      And a big thanks to Otto for the several times only he had the time & energy to drop me a clue.

      Report

      Reply

  12. Vulnerabilities should never be posted in a public forum. Full stop.

    Contact the plugin author privately. If that’s not an option or you get no response, contact the plugin team. It’s as simple as that.

    Report

    Reply

    1. Justin, I don’t think that’s a good idea. It amounts in practice to saying that end-users should never have information about vulnerabilities; the plugin author and wordpress.org should have a monopoly. That, in turn, amounts to saying “just trust us”. But, confidence in the workings of a system has to rely upon independent verification. There has to be something to compare to.

      If pluginvulnerabilities.com have developed automated tools to find vulnerabilities with relative ease that are getting past the plugin review team (leaving aside the discussion of what purpose pv.com is putting those tools to), then that has shown up a fixable weakness in the wordpress.org side of things. They, by implication, have tooling that can be improved upon. If they could ever partner to gain access to such tools, or develop them themselves, and improve the quality of what’s in the repository, then that’d be a gain for everyone (regardless of how it comes about).

      Private, unreviewed monopolies are a recipe for low quality outcomes in almost every area of life.

      Report

      Reply

      1. Most plugin authors patch very promptly. If this guy acted like a sensible non selfish human being we could have transparency and proper security. Ie

        Contact the author
        If no immediate response then contact the repository moderators
        Still nothing publish and call out both the author and the repository moderators

        Once patched publicise that you identified the vulnerability and that you are a great guy.

        Report


      2. @Peter Shaw
        What you are describing is what we did for years and we would love to go back to that once the inappropriate behavior of the moderators ends.

        Based on your message you don’t seem to be aware of that, which would dispute what you said about publicity. The truth is that you don’t actually get much publicity for doing things that way or doing other things that actually improve security, which is a big problem with the incentive structure surrounding security and the state of security journalism.

        When that sort of thing does get coverage it looks like it is often due to security companies significantly overstating the impact of vulnerabilities, so you end with a lot of FUD and not much useful security coverage.

        Report


    2. Have to agree with you. I’ve fixed issues with my plugins very quickly in case of any vulnerability. It is very frustrating seeing a post in the forum publicising the vulnerability when it can be handled more quietly. I got no issues telling people there was a security issue but I can’t always respond in a matter of minutes!

      Report

      Reply

  13. I don’t think any solution from who thinks show a security issue instant is right choice. It can be a great showtime, but it brings a very bad result.

    You can, certainly, but must with a closed information and reach a plugin author with a deadline. Usually it takes at least 30 days before publishing a full detail. It’s a polite, and it brings our life better.

    I was banned once when my wp account was using the same IP address as someone leaves a fake review. WP.org support forum is good but it comes with a set of rules.

    But thinking from another side. Where we should contact a plugin author better? Have any idea to improve this way than email – a prof. way but too old time ago. It’s the open question for WP community.

    It’s the open change to bring some monitor service for security reason, but hope it goes a right way, with the help for many webmasters who has less IT skills but still want to have a simple website for their small business, or simple writing a blog.

    Report

    Reply

    1. If you look at the Theme Directory they have for some time had a “Report this theme” button on each theme’s page where you can report issues with themes. Though when we used it to report that a theme contained a vulnerability due to an included plugin, the theme remained vulnerable and available long afterwards.

      Report

      Reply

  14. This happened to me too. Instead of just contacting me directly about what they thought was an issue with the plugin, Plugin Vulnerabilities published an article about it on their website. The plugin was then temporarily withdrawn from the repository. The issue took less than ten minutes to resolve, but it then had to be manually approved by the Plugin team before it was made active again.

    That took weeks.

    New people could not download it, but existing users could not install the updated version. If there was a security issue, I had no way of alerting users of this fact or getting the updated version to them.

    The way Plugin Vulnerabilities handled the issue was the complete opposite of how open source is supposed to work. Discover an issue with my code? Great! Let me know what you found and let me fix it so the issue doesn’t do any harm. That’s not what they did.

    Report

    Reply

  15. So let me get this straight…

    The way it currently works is that a vulnerable plugins remains on the repository for download, because removing it would be like raising an “I’m vulnerable” flag?

    In other words… wordpress.org are knowingly allowing users to download vulnerable plugins?

    So WTF do I tell my clients? “sorry, I can’t say for sure that any plugin you download from the repository is secure as far as we know”?

    Whether or not you agree with PV’s methods (my opinion is irrelevant)…

    1. it’s bringing this issue to the front where it needs resolving

    and

    2. the way it’s all currently handled clearly isn’t working

    I’m not taking sides but it seems like .org is acting like a petulant child, hiding behind forum rules to placate themselves from a system that’s clearly inadequate, while PV is repeatedly offering to try help fix this broken system – but resorting to undesirable tactics to make a point.

    You’re all too busy pointing fingers for someone to actually fix this shitpit of a mess.

    Certainly happy to for my interpretation of all this to be proven wrong but I’ve seen nothing so far that suggests that.

    Report

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.