PluginVulnerabilities.com is Protesting WordPress.org Support Forum Moderators by Publishing Zero-Day Vulnerabilities

image credit: Jason Blackeye

A security service called Plugin Vulnerabilities, founded by John Grillot, is taking a vigilante approach to addressing grievances against WordPress.org support forum moderators. The company is protesting the moderators’ actions by publishing zero-day vulnerabilities (those for which no patch has been issued) and then attempting to contact the plugin author via the WordPress.org support forums:

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).

In the linked incidents cited above, Grillot claims that moderators have deleted his comments, covered up security issues instead of trying to fix them, and promoted certain security companies for fixing hacked sites, among other complaints.

In response, Plugin Vulnerabilities has published a string of vulnerabilities with full disclosure since initiating the protest in September 2018. These posts detail the exact location of the vulnerabilities in the code, along with a proof of concept. The posts are followed up with an attempt to notify the developer through the WordPress.org support forum.

Grillot said he hopes to return to Plugin Vulnerabilities’ previous policy of responsible disclosure but will not end the protest until WordPress.org support forum moderators comply with the list of what he outlined as “appropriate behavior.”

WordPress’ security leadership is currently going through a transitional period after Aaron Campbell, head of WordPress Ecosystem at GoDaddy, stepped down from his position as head of security in December 2018. Automattic Technical Account Engineer Jake Spurlock is coordinating releases while the next person to wrangle the team is selected. This announcement was made in the #security channel, but Josepha Haden said there are plans for a more public post soon. Campbell did wish to publish the details of why he stepped down but said that he thinks it is important to rotate that role and that “the added influx of fresh energy in that position is really healthy.”

When asked about the Plugin Vulnerabilities’ protest against WordPress.org, Spurlock referenced the Responsible Disclosure guidelines on WordPress’ Hackerone profile. It includes the following recommendation regarding publishing vulnerabilities:

Give us a reasonable time to correct the issue before making any information public. We care deeply about security, but as an open-source project, our team is mostly comprised of volunteers.

Spurlock said that since those guidelines are more pertinent to core, dealing with third-party plugins is a trickier scenario. Ideally, the plugin author would be notified first, so they can work with the plugins team to push updates and remove old versions that may contain those vulnerabilities.

“The WordPress open-source project is always looking for responsible disclosure of security vulnerabilities,” Spurlock said. “We have a process for disclosing for plugins and for core. Neither of theses processes include posting 0-day exploits.”

Grillot did not respond to our request for comment, but the company’s recent blog posts contend that following responsible disclosure in the past would sometimes lead to vulnerabilities being “covered up,” and even at times cause them to go unfixed.

WordPress.org support forum moderators do not permit people to report vulnerabilities on the support forums or to engage in discussion regarding vulnerabilities that remain unfixed. The preferred avenue for reporting is to email plugins@wordpress.org so the plugins team can work with authors to patch plugins in a timely way.

However, in the wild west world of plugins, which includes more than 55,000 hosted on WordPress.org, there are times when responsible disclosure falls apart and occasionally fails users. Responsible disclosure is not a perfect policy, but overall it tends to work better than the alternative. The Plugin Vulnerabilities service even states that they intend to return to responsible disclosure after the protest, essentially recognizing that this policy is the best way to coexist with others in the plugin ecosystem.

In the meantime, publishing zero-day vulnerabilities exposes sites to potential attacks if the plugin author is not immediately available to write a patch. The only thing WordPress.org can do is remove the plugin temporarily until a fix can be released. This measure protects new users from downloading vulnerable software but does nothing for users who already have the plugin active. If site owners are going to protect themselves by disabling it until there is a fix, they need to know that the plugin is vulnerable.

Plugin Vulnerabilities’ controversial protest, which some might even call unethical, may not be the most inspired catalyst for improving WordPress.org’s approach to security. It is a symptom of a larger issue. WordPress needs strong, visible security leadership and a team with dedicated resources for improving the plugin ecosystem. Plugin authors need a better notification system for advising users of important security updates inside the WordPress admin. Most users are not subscribed to industry blogs and security services – they depend on WordPress to let them know when an update is important. Refining the infrastructure available to plugin developers and creating a more streamlined security flow is critical for repairing the plugin ecosystem’s reputation.

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let's discuss your ideas.

64 Comments


  1. What they said is different from what they acted.

    I have a plugin Meta Box that once had a security problem. And the ones who contacted me and asked for fix is Otto and Mika from wordpress.org!

    There were no forum posts, no emails, no contact messages from PluginVulnerabilities while they expose the security bug with exploit code on their website. Not once, but twice!

    Security is a big problem, and exposing it to public should be done with consideration. Because bad people can use them to deface others’ websites.

    I didn’t know what they thought when they did that. They reacted (I mean exposing) to the problem very quickly, just a few hours (or maybe just a day) after the bug was known. And they didn’t notify me, instead of that, they published a post/report on their website.

    So, sorry, I won’t use their service. And I don’t give them a trust.

    I think wordpress.org moderators have reason to do so. At least, they protect WordPress users from being hacked. And I’m sure they notify plugin authors to fix bugs before it’s too late.

    Report


    1. We always leave a message on the Support Forum of the plugin after we do the full disclosure, so the moderators are the ones that made it so you couldn’t see that. They could allow those to be shown or just stop acting inappropriately and this would end, we hope they finally do that. It seems unlikely that we would be lying about leaving those messages considering that the head of the moderation team has made a big deal of how we create new accounts each time we do that.

      When you got contacted by the members of the team running the Plugin Directory that was in all likelihood due to them seeing our message, since they can see moderated or deleted messages, and someone is visiting our website from those on a regular basis.

      Report


      1. Playing devils advocate here. It seems like an easy excuse to use claiming moderators blocked your forum posts to plugin authors since there’s no real way to either confirm or deny a post was even made to begin with ( in this case ). You saying that it would be unlikely that you would be lying also isn’t reassuring.

        Creating multiple accounts on a forum usually comes with some kind of malicious intent which is why most forums I’ve seen either force users to merge duplicate accounts or block additional accounts from being made under the same user. Forum moderators disallowing users from creating multiple accounts is hardly unheard of behavior and well within their authority to keep forums troll free.

        From my perspective based on replies and reading the blog posts it seems there’s a lot of assumptions and speculations are being made. Makes me believe we don’t have a full view of the picture quite yet.

        Report


      2. @Alex, I will confirm with 100% certainty that yes, indeed, their posts to the forums are being blocked.

        The way they have been “protesting” is simple. They find an issue, and instead of contacting the plugin authors, or emailing the plugins team (we can always contact authors directly), they post it publicly, and then create an account using a throwaway email, then attempt to post a link to their site’s post to the forums.

        That attempt is instantly blocked, and the moderators forward it to the plugins team, where we take appropriate action.

        The forums are not a correct way to contact plugin authors about security vulnerabilities. We have been working around their actions for about 8 months now. They simply are choosing to email the plugins team in the most roundabout possible way, at this point.

        Report


      3. What an utterly stupid way to handle this. Why on earth would you do something as daft as post a security flaw in the forum? It’s not hard to contact the plugin author privately, so that they can fix the problem themself. If they refuse or are uncontactable, then contact WordPress.org, and if still nothing happens, well then you can publish the flaw since clearly no one is going to fix it. Publishing exploits like this just makes you look like a jerk and hurts the users of those plugins.

        Report


      4. CC @Otto, I think he should be banned for a life time from WP.org forums.

        Report


      5. @Alex
        If you don’t have a full picture that it isn’t due to anything on our part, we have been honest here; even the person at the heart of the problem has admitted that we were not lying about trying to notify the developers. But why would we have lied about that anyway, what even would be the purpose to claim that we are trying to notify the developers when are not?

        Report


      6. @Otto

        That attempt is instantly blocked, and the moderators forward it to the plugins team, where we take appropriate action.

        Except that you are often not doing that, considering that there are currently plugins with millions of installs that have not been removed from the Plugin Directory and haven’t been fixed despite you knowing they contain vulnerabilities because of our messages. That includes one that we specifically mentioned to a moderator back in December was already in all likelihood being exploited when he also made the claim you are now making about taking appropriate action. With another plugin with 400,000+ installs, where we have seen hackers probing for usage of it, it has now been over two weeks without the vulnerability being fixed or the plugin being removed.

        This seems to be a common problem, you think that you are doing a better job at things then you really are. Then, seemingly not intentionally, the moderation of the Support Forum is used to cover up those types of failures, so they fester, which is the kind of thing that led to our protest in the first place.

        What would be best here would be for you to clean up the moderation of the Support Forum and then work with us and or the others out there that have tried to help you to fix the problems you and the rest of the Plugin Directory team are causing.

        Report


      7. Except that you are often not doing that

        John, the fact that you don’t understand what “appropriate action” is, well, that is kind of the whole problem here. Maybe try listening to what literally everybody else is telling you, instead of trying to attack us yet again.

        Also, why do you continue to use the phrase “clean up the moderation”? That phrase has no meaning. Nothing is going to happen with the moderation. The moderators have moderated correctly, by blocking your posts. Repeatedly. For many months. They’re doing their jobs. You’re the problem, not them.

        Report


  2. There does appear to be an odd promotion within the WordPress.org forums toward a particular malware cleanup company.

    Why the wordpress.org forum so openly promotes commercial services is a bit troubling to me as well.

    I have to imagine that the promotion of commercial companies to clean up hacked websites is in goodwill, but still seems to cross the line. Am I the only one who feels this…

    Report


    1. You could’ve just called a name…

      Is it Sucuri, Wordfence or iThemes?

      Report


  3. As a plugin author who had a vulnerability disclosed by plugin vulnerabilities, I can say I received no warning from them via any support forum whatsoever. I only knew when my repo page was closed. Fortunately a patch was ready within minutes, but that is not the case for many plugin developer teams. This protest is in bad faith run by a disgruntled researcher. There has to be a better solution to protect users and developers alike that doesn’t involve destroying plugin reputations and exposing websites to attack.

    Report


    1. Yep, me too. My plugin was reviewed on their site and exposed with a concept. NO warning or good faith to contact me. Just a post promoting their own protest and temper tantrum. “WordPress, change your ways I will be as dangerous as I can be…”. Yes, I used the word “dangerous”. It is absolutely DANGEROUS to provide hackers with the information they are looking for. But, anything to get their way, right? #childish #petty #crazy #nothingbettertodo

      Report


      1. It should be noted that you actually even have an issue with responsible disclosure, as you want us to remove our post about the vulnerability in your plugin since it has been fixed. That occurred after you had threatened to sue us to get the post removed because you falsely claimed there wasn’t a vulnerability at all. With responsible or reasonable disclosure (which is what we actually did before, not responsible disclosure, and would like to return to) the details would be released after you had a chance to fix it, so you seem to be actually interested in covering up that your plugin contained a vulnerability due its very poor security. What you appear to be engage in, especially with the legal threats, is the sort of thing that causes people to do full disclosure in the first place.

        Report


  4. John Grillot is a troll, pure and simple. He does not care that sites are infected using the proof of concept that he posts, some within hours of the posting. He does not care that visitors to those sites are infected or redirected. John is the equivalent of a 3 year old throwing a tantrum in the supermarket because he can’t get what he wants.

    Just follow the rules and there isn’t an issue. The difference between what he is doing now and what he did to get kicked of the forums is that before he posted this stuff in the forums and was pissy when asked not to do that.

    The system isn’t perfect and WordPress is trying to make it better but people that complain and moan about not getting their way and harassing volunteers isn’t an incentive for those same volunteers to want to help you in any way.

    Report


    1. What you are saying doesn’t make sense. What got us “kicked of the forums” was us leaving messages letting developers know that we had full disclosed vulnerabilities in their plugins as part of our protest of the continued inappropriate behavior of the moderators. We had never done that before since we were not doing the protest/full disclosure before then. We were not “pissy” about that (since we are not a “3 year old throwing a tantrum in the supermarket because he can’t get what he wants”) and it isn’t like we didn’t expect to be banned since we are engaged in a protest against the moderators inappropriate behavior.

      Seeing as we were “kicked of the forums” for our protest, we haven’t changed what we are doing since getting “kicked of the forums” since our protest is what got us “kicked of the forums” . We don’t know why people continually make up claims like this instead of being able to address what is actually occurring. If you want to criticize us, we are certainly fair game, but don’t do it with made up stuff like that.

      What we have seen for years is that the WordPress Plugin Directory team are the ones holding back improvements. They haven’t shown a willingness to even discuss fixing problems, instead doing things like shutting down topics on forum and deleting messages that bring up problems with their handling of problems. That is part of what led to our protest. We, for example, have long offered to help them with improving the security reviews of new plugins, which are missing easy to spot serious vulnerabilities, and we have offered to provide fixes for vulnerabilities in plugins when they are likely to be exploited and where the developer isn’t releasing one, so far they have shown no interest in either of those things. The best outcome here would be for the moderation to be cleaned up and the team running the Plugin Directory to agree to work with us and others that have shown an interest in helping them get the problems they are causing, fixed up.

      The person that runs the moderation of the Support Forum (and is one of six members of the team running the Plugin Directory) isn’t a volunteer, he works directly for Matt Mullenweg, even though he really should be an employee of the WordPress Foundation.

      Report


    2. “Highly paid?” Hahahahahahaha!

      Believe me, if my job description consisted of the things you actually accused me of, I’d be much better off.

      The truth is that there is no conspiracy. I’m not in the Illuminati. That’s simply not how this sort of thing works. If you act bad and attack people, then you get called out for it eventually. Everybody on the other side of the screen is a real person. Remember that, and you generally do better at this internet thing.

      Report


  5. Exposing vulnerabilities in such a public, detailed way, is like a doctor giving cancer a fighting chance.

    Report


    1. Exposing vulnerabilities in such a public, detailed way, is like a doctor giving cancer a fighting chance.

      I make no comment upon what I think of pluginvulnerabilities.com’s practice (I don’t think my opinion is important), but you don’t understand the root problem.

      Closing plugins on the wordpress.org directory is like sticking up a “Hey, something here potentially of interest!” flag. Black hat hackers see that flag, and have the skills to investigate, and, if the plugin is vulnerable, exploit it on peoples’ sites. But the same information is not available to end-users (because the directory doesn’t provide it when they close the plugin) – even if the plugin remains closed for a long time. Site owners can’t evaluate whether they are vulnerable in their particular install, or not – and so, they can’t decide what to do about it, and how quickly they need to move to do so. They can’t make an informed decision on how to spend their limited resources of time and money.

      i.e. People with the motivation to do bad things know in detail why a plugin was closed and what they can gain from it…. but actual users of the plugin don’t know why. They can’t evaluate what they might lose by it and how best to respond. That’s a problematic situation.

      Report


      1. @David, you have a valid point, but you’re assuming that every security issue gets the plugin closed. Not the case. The majority of closings are actually split between guideline violations, and author requests. Security issues are much less, and sometimes we don’t close for minor issues that can be fixed quickly.

        We have a bit of experience at this sort of thing. The best response to a security issue is one that gets fixed and you never notice, and neither do the bad guys.

        Report


      2. @Otto
        Real world experience shows that things often don’t work that way and that you are failing to take appropriate action to deal with what really happens. Take the plugin Form Lightbox, where a hacker found and exploited a vulnerability. That was never fixed and 17 months later there were still 6,000 websites using the plugin despite being known to be vulnerable. When we tried to address the issue of unfixed vulnerabilities in the context of that plugin with you on the forum, our reply was deleted.

        While the team running the Plugin Directory should have a capability to fix vulnerabilities like that, we have offered to provide the fixes as well, so there is no reason there should be situations like that where an exploited vulnerability isn’t quickly fixed.

        Report


      3. When we tried to address the issue of unfixed vulnerabilities in the context of that plugin with you on the forum, our reply was deleted

        Yes. Correctly so. We do not allow posts about vulnerabilities on the forums. I can repeat this until I’m blue in the face, but for you, apparently that message does not get through.

        Don’t post such things on the forums. Period. Ever. For any reason. That is *not allowed*. I’ve told you that *hundreds of times* now. The support forums are not for those posts.

        I don’t know what other way to say it, so you eventually got banned. Not even by me, although I do agree with the decision.

        Report


  6. This is a reckless form of protest, knowingly putting innumerable websites at risk, potentially costing site owners hard earned cash to fix.

    Why would anyone use this company after a stunt like this? It’s very nearly a direct move to create more customers for his business.

    Report


  7. The Plugins Vulnerabilities is run under White Fir Design (terrible website). Anyway, they are out of Greenwood Village, CO. I have already contacted a lawyer in the Denver area (I live in Highlands Ranch, so just outskirts). Her name is Kassandra Kirsch. You can give her a call if you believe you have customers that were affected by Plugins Vulnerabilities wreck-less release of “concepts”. Their irresponsibility can be subject to legal consequence and since they are in CO, they fall inside of Kassandra’s practiced jurisdiction.

    Please call her at (303) 228-2165 if you feel that your customers were targeted as a result of their irresponsible posts.

    Report


    1. It should be noted that you actually even have an issue with responsible disclosure, as you want us to remove our post about the vulnerability in your plugin since it has been fixed. That occurred after you had threatened to sue us to get the post removed because you falsely claimed there wasn’t a vulnerability at all. With responsible or reasonable disclosure (which is what we actually did before, not responsible disclosure, and would like to return to) the details would be released after you had a chance to fix it, so you seem to be actually interested in covering up that your plugin contained a vulnerability due its very poor security. What you appear to be engage in, especially with the legal threats, is the sort of thing that causes people to do full disclosure in the first place.

      Also, you misspelled the name of the lawyer you mentioned.

      Report


    2. Firstly there is no way this behaviour from John Grillot is illegal. To suggest so is stupid and not in good faith.

      That being said this behaviour is immoral. Plugin authors are not hard to contact privately. And once contacted most have no issue patching the vulnerability.

      If it is not patched promptly by all means publicise the fact, and by all means publicise the fact you identified the issue once the patch has been done.

      But publicising immediately is the definition of selfish shabby behaviour.

      Report


    3. That’s low. Regardless of what you think of this protest, punishing someone with the legal process (and if you’ve ever been served or hauled into court, you will know being forced to defend yourself is a punishment, financially and otherwise) is not an equal response.

      Report


      1. A_Bad_Taste,

        And what would you call what he is doing? Exposing vulnerabilties on innocent people’s websites. You know that info from my plugin may not be much, typically just non-important items. But, there are much higher value targets in a database. If you really care and want to help make the WP community safe, then why would you show a blue print on how to hack someone’s website? We have fixed this issue. Did so in hours. However, just like all of us know, it takes time for users to actually update. Even though we did a support thread on our WP repo, as well as an email to all of our licensed users; only 15% of them are updated. That mean, 85% of our customers are at risk. And for what? All because of a protest? You can protest, but you can’t throw people in harms way while you are at it. His actions are dangerous. So I ask you, what do you think of what he is doing?

        Report


      2. @Chuck
        What seems to be missing from your thought process is that there wouldn’t have even been a vulnerability that we could full disclose if you had properly secured your plugin. The vulnerability was in your plugin for almost two years, so hackers had plenty of time that they could have exploited it before we happened to run across it.

        Curiously you claim there was security audit that found the vulnerability, but what we did there wasn’t a security audit. Getting an actual security audit would be a good idea.

        Report


  8. Sounds like somebody’s trying to get some free advertising for their plugin vulnerability reporting tool.

    Shame on you PV!

    Report


    1. We are not looking for free advertising, we simply want the moderation of the Support Forum cleaned up and we don’t know how we can make that more clear. It would be easy to prove us wrong if that isn’t true, since if the moderation was cleaned up and we didn’t stop it would prove we were lying.

      Report


      1. The very basis of your ‘solution’ is a database of vulnerabilities, which is contrary to proper reporting practices.

        If I’m a hacker, where could I turn to quickly determine what plugin vulnerabilities are available to me?

        Report


      2. How is a database of vulnerabilities “contrary to proper reporting practices”? Lots of sites maintain a database of vulnerabilities, e.g., WPScan, ThreatPress. Even Automattic has one.

        Report


  9. WordPress.org is doing just fine. Been doing great for many years now. I trust the WordPress.org team completely, they have established a long, solid reputation, as evidenced by the sheer number of people and businesses (like what, a third of the entire Internet) that use the software and plugins, themes. Pretty solid evidence that WP is doing it right.

    This sudden kerfuffle is nonsense, and obviously staged by a few bad actors. Don’t take the bait: it’s classic problem/solution tactics. There isn’t a problem. So no “solution” is required. Don’t take the bait.

    Report


    1. There clearly are problems, since if there were not problems, there wouldn’t be any vulnerabilities in plugins in the first place.

      If you look at what happened in the past couple of months with the plugin WP Easy SMTP and the Freemius library used in many plugins, hackers are finding vulnerabilities on their own and exploiting them. With the latter issue, there are still fairly popular plugins that haven’t been fixed and remain in the Plugin Directory nearly two months on.

      Report


  10. I don’t doubt there are real issues. But from the reading of the blog post, the list of “demands” ( none of which seem to go to improving the supposedly underlying issues ), the homepage of there website and other blog posts, this all seems overly personal and conspiratorial.

    Report


  11. Dragging individual names into a public attack is risky. Those who could and might help may be apprehensive to collaborate for fear of being doxed in the future.

    It’s worth pointing out the PluginsVulenerabilities author hasn’t published their name and identity in the posts, on the site, or Twitter.

    Hiding behind a “handle” anonymizes who they are while allowing them to trash the reputation of others.

    This behavior shouldn’t sit well with anyone.

    Report


    1. We are a service provider, not a person, so that isn’t a “handle”, it is the name of the service (but there is space between the words), so anyone can “trash” our reputation just as easily. There are plenty of people “trashing” us here without issue.

      Report


      1. You’ve intentionally dismissed my argument (whoever you are). You are in fact a person or a group of people.

        Nowhere on your website is there a single listing of who’s speaking on behalf of your organization. No individuals to hold accountable.

        By contrast, when Wordfence, Securi, Site Lock, WP Tavern post articles reporting issues those who researched the story are clearly indicated and can be personally held accountable.

        Report


    2. Joseph Dickson,

      I am going to share this with you because it should pass the moderation review as it is 100% purely public information:

      Secretary of State Registration

      If you do a who is search on their domain you will get this:

      https://snag.gy/sbwmUQ.jpg

      Which matches up with their SOS filing and their footer company “White Fir Design”.

      Then, if you go to WFD website here:

      https://www.whitefirdesign.com/blog/

      You see a link and advertisement right on the right hand side for their plugin security service. That, btw, after anybody reading the internet would not buy. Their marketing is going to go down the drain because they don’t have a single like on any post in this thread, and they don’t have a single article on the web in favor of them. The guy is a loose canon. He has been losing it since 2016 (earliest verifiable) and I think it is finally coming to a head.

      So, use this info in the best way you see fit. We provided Cassandra Kirsch’s info in a post above, but again, that info is:

      https://www.cmklawoffice.com/

      Cassandra Kirsch: (303) 228-2165

      Report


      1. You should contact Cassandra Kirsch to sue WordPress.org if anyone has to be sued. WordPress.org is the supplier of plugins with vulns to the public. (John has stated that there is a plugin with 4000+ active installations on wp.org which he has sent messages about and Otto confirmed the message.)

        Now long story short (and a real fix to the issue), wp.org should have a report a vuln or report a security issue button on each plugin which should send a private message that can be seen by both sender, reciever (plugin developer) and the moderators. If the plugin isn’t fixed within a given period of time then the plugin should be removed from the repository.

        Anyone suggesting that John or Plugin Vulnerabilities should have contacted the plugin authors directly are wrong. How do you know that the given plugins didn’t have those malicious codes or vulns in them wasn’t on purpose or with bad intent? Moreover, the credit has to be given to the person or the team that have found the vuln or malicious code. The main reason I’m stating this way is that neither John nor others would be aware of the plugin if it wasn’t for wp.org repo. Now, people like John are reporting security issues and all those reports have to be “recorded” and credited on each instance.

        Grow up fellas. Work to find solutions instead of non-stop continuous bickering.

        Report


  12. The guy behind plugin vulnerabilities is very annoying and unpleasant. I just can’t read his blog posts. He’s blaming all others (Sucuri, WPVULNDB, WordFence, ThreatPress, etc) except his so called service. His marketing strategy is based on blaming others and some kind of psychological warfare. He’s also picking tricky keywords. I’m really really surprised that WPTavern covered his blog. He doesn’t respect others. I’m not talking about this case, but if you read his blog posts about Sucuri, Defiant, Automattic, Mullenweg, and so on… I think he has serious problems. I’m not surprised by such crazy protesting by him, all he wants is Promotion for his so called service and now he got it, from WPTavern.

    Report


    1. Just wanted to share something I found https://medium.com/@xorloop/wordpress-security-researcher-gone-rogue-a76484ed0fc9 I think it would be worth to edit the whole post and include some more info about this crazy guy.
      Some facts:
      1) Putting 160K websites+ at risk so far (many of them got hacked).
      2) Already created 100+ fake accounts in order to try to bypass the moderation of WP.org forums.
      3) Blackmailing WordPress support forums.
      4) Criticizing every other security vendor.

      Does this increase faith in their company? They seem to have been completely blinded.

      Report


      1. That post shouldn’t increase faith in us, since it is filled with falsehoods and written by someone that seems to have no idea what they are talking about, as an example it claims:

        Since pluginvulnerabilities.com is not agreeing to the rules of WordPress support forums and their fake accounts are being banned, they decided to start blackmailing WordPress.org.

        They demand WordPress.org to “clean up the moderation” or they will continue to undermine the security of the WordPress ecosystem by disclosing plugin security vulnerabilities to hackers without reaching out to developers first.

        We got banned from the forum for our protest, so our protest couldn’t be in response to us being banned as they are claiming there, since that happened after the protest started, not before.

        As for you claim that:

        His marketing strategy is based on blaming others and some kind of psychological warfare. He’s also picking tricky keywords.

        This makes you sound more like the crazy person here than us.

        Report


      2. Plugin Vulnerabilities,

        Most of the first paragraph on your site – your First Impression for visitors & potential customers – is spent alleging what amounts to a legal conspiracy at the WordPress company. If true, WordPress would be a major criminal enterprise at the national, and even global level.

        Then you wrap up the first paragraph by broadening your allegations to include that “the rest of the security industry” is in collusion with the WordPress conspiracy. If true, then our main protection against malware, is on the take and unable to fillfil their mission.

        We are all aware that Russia consprired to influence the 2016 American Presidential election. Collusion with them has been alleged. And you think similar types of misconduct are being perpetrated by WordPress, and the whole security industry (excepting Plugin Vulnerabilities) is colluding with them.

        This is quite a presentation.

        Report


    2. I approve of WPTavern covering PluginVulnerability blog posts, insofar as they’re only Breaking All The Rules That Will Bend.

      Look at the social/cultural problems currently being experienced at other leading digital enterprises, and you’re looking in part at the side-effects of eliminating:

      … very annoying and unpleasant … psychological warfare … tricky keywords … serious [personal] problems …

      Roman Generals returning in Triumphal Procession hired personalities like this [also seen on the nightly MSM offerings!] to insult & defame them to the crowds. As WordPress moves further into dominance, the hubris-problem steadily grows.

      … But other’n that, Hugo, I couldn’t have said it better!

      And a big thanks to Otto for the several times only he had the time & energy to drop me a clue.

      Report


  13. Jesse, as always, your misdirected hate sustains me. Thank you, good sir.

    Why you continue to be allowed to attack me here, for literally no reason in this case, is a constant source of bafflement. One would think that moderation would be deployed, but, I guess that’s a bit much to ask for.

    Report


  14. Vulnerabilities should never be posted in a public forum. Full stop.

    Contact the plugin author privately. If that’s not an option or you get no response, contact the plugin team. It’s as simple as that.

    Report


    1. Justin, I don’t think that’s a good idea. It amounts in practice to saying that end-users should never have information about vulnerabilities; the plugin author and wordpress.org should have a monopoly. That, in turn, amounts to saying “just trust us”. But, confidence in the workings of a system has to rely upon independent verification. There has to be something to compare to.

      If pluginvulnerabilities.com have developed automated tools to find vulnerabilities with relative ease that are getting past the plugin review team (leaving aside the discussion of what purpose pv.com is putting those tools to), then that has shown up a fixable weakness in the wordpress.org side of things. They, by implication, have tooling that can be improved upon. If they could ever partner to gain access to such tools, or develop them themselves, and improve the quality of what’s in the repository, then that’d be a gain for everyone (regardless of how it comes about).

      Private, unreviewed monopolies are a recipe for low quality outcomes in almost every area of life.

      Report


      1. Most plugin authors patch very promptly. If this guy acted like a sensible non selfish human being we could have transparency and proper security. Ie

        Contact the author
        If no immediate response then contact the repository moderators
        Still nothing publish and call out both the author and the repository moderators

        Once patched publicise that you identified the vulnerability and that you are a great guy.

        Report


      2. @Peter Shaw
        What you are describing is what we did for years and we would love to go back to that once the inappropriate behavior of the moderators ends.

        Based on your message you don’t seem to be aware of that, which would dispute what you said about publicity. The truth is that you don’t actually get much publicity for doing things that way or doing other things that actually improve security, which is a big problem with the incentive structure surrounding security and the state of security journalism.

        When that sort of thing does get coverage it looks like it is often due to security companies significantly overstating the impact of vulnerabilities, so you end with a lot of FUD and not much useful security coverage.

        Report


    2. Have to agree with you. I’ve fixed issues with my plugins very quickly in case of any vulnerability. It is very frustrating seeing a post in the forum publicising the vulnerability when it can be handled more quietly. I got no issues telling people there was a security issue but I can’t always respond in a matter of minutes!

      Report


  15. I don’t think any solution from who thinks show a security issue instant is right choice. It can be a great showtime, but it brings a very bad result.

    You can, certainly, but must with a closed information and reach a plugin author with a deadline. Usually it takes at least 30 days before publishing a full detail. It’s a polite, and it brings our life better.

    I was banned once when my wp account was using the same IP address as someone leaves a fake review. WP.org support forum is good but it comes with a set of rules.

    But thinking from another side. Where we should contact a plugin author better? Have any idea to improve this way than email – a prof. way but too old time ago. It’s the open question for WP community.

    It’s the open change to bring some monitor service for security reason, but hope it goes a right way, with the help for many webmasters who has less IT skills but still want to have a simple website for their small business, or simple writing a blog.

    Report


    1. If you look at the Theme Directory they have for some time had a “Report this theme” button on each theme’s page where you can report issues with themes. Though when we used it to report that a theme contained a vulnerability due to an included plugin, the theme remained vulnerable and available long afterwards.

      Report


  16. This happened to me too. Instead of just contacting me directly about what they thought was an issue with the plugin, Plugin Vulnerabilities published an article about it on their website. The plugin was then temporarily withdrawn from the repository. The issue took less than ten minutes to resolve, but it then had to be manually approved by the Plugin team before it was made active again.

    That took weeks.

    New people could not download it, but existing users could not install the updated version. If there was a security issue, I had no way of alerting users of this fact or getting the updated version to them.

    The way Plugin Vulnerabilities handled the issue was the complete opposite of how open source is supposed to work. Discover an issue with my code? Great! Let me know what you found and let me fix it so the issue doesn’t do any harm. That’s not what they did.

    Report


  17. So let me get this straight…

    The way it currently works is that a vulnerable plugins remains on the repository for download, because removing it would be like raising an “I’m vulnerable” flag?

    In other words… wordpress.org are knowingly allowing users to download vulnerable plugins?

    So WTF do I tell my clients? “sorry, I can’t say for sure that any plugin you download from the repository is secure as far as we know”?

    Whether or not you agree with PV’s methods (my opinion is irrelevant)…

    1. it’s bringing this issue to the front where it needs resolving

    and

    2. the way it’s all currently handled clearly isn’t working

    I’m not taking sides but it seems like .org is acting like a petulant child, hiding behind forum rules to placate themselves from a system that’s clearly inadequate, while PV is repeatedly offering to try help fix this broken system – but resorting to undesirable tactics to make a point.

    You’re all too busy pointing fingers for someone to actually fix this shitpit of a mess.

    Certainly happy to for my interpretation of all this to be proven wrong but I’ve seen nothing so far that suggests that.

    Report


    1. I have seen this problem in many different fields, completely unrelated to WordPress. It’s a human problem, wanting everything to be simpler than it actually is [Maslow’s 4th level for anyone who cares].

      I don’t personally know a single person involved here, but I have a lot of experience evaluating people (>10k) from their writing. From the outside, PV’s writing indicates a very intelligent person who is really frustrated with the current WP Security organizational structure, a structure that is not remotely the best possible.

      You see the same problem in big companies, where security is an afterthought instead of being a fundamental part of the design.

      I think we can all agree that this needs to be fixed everywhere.

      How? For starters, how about being more effective in continuous education of plugin developers in best practices, whatever those are each month, week, or day.

      Perhaps a Security Repository of Best Practices? 😁

      Second, elevating security in the WP CMS framework code to be on an equal level with developing new features.

      It would certainly help me feel better about having my livelihood dependent on WordPress being secure enough.

      Report


  18. We’ve previously had very cordial dealings but this method directly affects active users and has pulled the rug from under me.

    (RIP, my weekend)

    Report


  19. [my personal opinion here, not on behalf of anyone else]
    The overall way WordPress leadership handles plugin security is very inadequate. To me it appears to lean really hard on ‘security through obscurity’. It is a constant source of background stress.

    The idea that plugins can be ‘de-listed’ without centralized and widely available logs of this type of event is totally irresponsible and I would challenge anyone involved to justify it. How dare anyone impose such a policy without any valid way to flag this within the sites using pulled plugins?

    Most of my experience has been over on the Drupal side. Drupal issues core security alerts when underlying libraries have small vulnerabilities, with no fault on the core developers. (for example the recent announced jQuery prototype vulnerability triggered a Drupal core security update).

    Has WordPress really been honest enough about underlying library vulnerabilities? Has WordPress really done everything possible to flag people when bad plugins are enabled, as soon as possible?

    When a plugin has a security vulnerability is there really adequate notification inside WordPress? Drupal hollers at you when this is the situation you are in, which is a responsible approach. This has been available for many years and it could easily be made available properly inside WordPress without having to go thru multiple paid third party vendors to vet everything.

    Likewise the Drupal security team will step in to pull modules or themes that have vulnerabilities, throw red flags all over them, including inside all the sites running them, with emails auto triggered from inside the websites to warn the administrators after cron module update check. This is an approach that actually respects the people building and maintaining the websites as well as the people that find the vulnerabilities and save us all from hacks.

    I don’t understand the WordPress world side of how these security issues are organized. In Drupal the security team is large and advanced, it has purview to step in on all these situations in the event that a module or theme developer can’t or won’t. It is also separately managed from the general module and theme administration world.

    I can’t say I entirely agree with PluginVulnerabilities approach to the matter but it mostly is a consequence of the inadequate attention and structural necessities paid to this issue by the community management for many years.

    PluginVulnerabilities is forcing the community to take a harder line, move away from the pernicious and extremely flawed security thru obscurity approach, and secretive de-listings that don’t protect existing sites! It is essential that people are notified of vulnerabilities as soon as possible. Making PluginVulnerabilities sit on the vulns is harmful to everyone, but under the current philosophy it seems to be regarded as what people want them to do. (and of course every day that PluginVulns has to sit on a vuln and not notify their customers due to the expectation they are supposed to be hush until someone fixes the plugin, is understandably a very tense situation for any security provider to be in!)

    Report


    1. Disclaimer: these are my opinions only and don’t necessarily reflect any group that I may be part of.

      I’ve been reading the post and the comments. As someone who has been targeted by John’s vitriol and willful misunderstanding (honestly, I think he has a whole tag on his site for me and other moderators and yes, that is creepy as all else) I just want to comment here. Hopefully briefly, probably not.

      It’s easy to say something is inadequate without proposing a working solution. It’s quick to comment about that and the indignation and righteous outrage sure is gratifying isn’t it?

      Yes, there’s a problem but the current process is within the confines of resources and the fact that WordPress remains a community effort staffed by volunteers. Closing a plugin is the right thing to do, contacting the author in a responsible manner is the right thing to do.

      Giving them the opportunity to patch it and get that on an update out to the users is the right thing to do.

      Anyone who says “RELEASE AND BE DAMNED! HOLD THE AUTHOR’S FEET AND WORDPRESS TO THE FIRE!” is just being irresponsible and hurting users if there is no patch or way yet to mitigate the problem.

      That’s the whole point of the current process. Try not to make the situation worse for the user. It’s not perfect and everyone wishes there was some magic resource wand to wave at it but there isn’t.

      That’s not security through obscurity. That’s something else. This is all about responsible disclosure. It’s not a new thing.

      (Please avoid replying “BUT, MATT!” because that just propagates the idea that WordPress.ORG is a company. It’s not.)

      PluginVulnerabilities is forcing the community to take a harder line, move away from the pernicious and extremely flawed security thru obscurity approach, and secretive de-listings that don’t protect existing sites!

      No, he really isn’t.

      John’s technical skill set is top notch. His security understanding and tools are fantastic. On that alone I’d recommend him in a heartbeat as a security researcher. It’s a pity there’s other parts of him that are not so professional.

      That skill set of his is completely hidden by the fact that he perseverates (look it up please) and can’t let go of the fact that no one is allowed to do what he does in the forums. And I’m not even talking about his toxicity to being told about the rules.

      This is part of the text that John posts in the forums.

      If you have a problem with this type of full disclosure please contact the leadership of WordPress and let them know that the moderation of this forum needs to be cleaned up, since that is how these full disclosures will end.

      How does any rational person not read that as this:

      I will keep shooting the hostages one at a time until my demands are met.

      This is not, nor ever has been, about responsible security disclosure.

      It’s about someone who was told long ago that what they are doing isn’t allowed and that someone throwing a temper tantrum as a result. That John hurts real people doesn’t matter to him. He’s stuck in a loop and just can’t move on or be professional.

      Report


      1. I can definitely sympathize with the headaches you get from what he is doing and understand why you’d attribute further fallout to the way he handles things. (and personalizing the disagreement isn’t warranted at all on his part). It’s definitely not something I would do.

        But we cannot speak of “responsible disclosure” without addressing the fact that delisting plugins is not publicly conveyed to everyone. Every time a plugin is delisted this should be available on a machine-readable file that is updated immediately. Why is there no direct mechanism for reporting security issues to the maintainer? (only advice to email the main plugins bucket email here https://developer.wordpress.org/plugins/wordpress-org/plugin-security/reporting-plugin-security-issues/ )

        Where is the official discussion on the merits of this approach of delisting plugins? Is it really ethical to expect PluginVulns to sit on vulns when plugins get delisted without any appropriate security notification? The whole idea of mysterious “closing” plugins is very unusual to me and a core problem that is in the middle of all of this. It bugs me because it reeks of downplaying security problems which is not in the interests of users at all and it’s adding stress.

        I think you’ve got to hit up these big companies and have several people stipended under an nonprofit association organization to work on a security team separate from the plugin management team. Security has to have its own sphere and a lot of this would improve.

        It is really stressful to have a situation where plugins can simply vanish without notification and security is a hunt-and-peck game that is not systematized. This is one of the most stress generating things about WP community hands down. Thank you and best regards.

        Report


      2. Obviously there is no working security concept at wordpress.org

        Any plugin which is disabled in repository due to security problem should show exactly that reason on plugin page, and expecially also in WordPress backend in plugin list.

        Any plugin which is disabled should get a forced changelog entry which explains this problem.

        Any plugin which is disabled should get a CVE assigned by wordpress.org dedicated security person which is NOT an admin or moderator in forums.

        Current approach with “security by obscurity” by silently hiding vulnerable plugins so hackers won’t notice is a) irresponsible and b) completely wrong.

        Report


  20. It’s easy to say something is inadequate without proposing a working solution.

    Why there isn’t a “Report this plugin” button in the plugin repository like the one in the theme repository? Many times, there’s no other way to let an author know that his plugin has issues than to post a message in the plugin’s forum. I mean, this won’t solve everything but it’s a starting point that I don’t think it would be extremely complex to implement.

    Report


  21. The quotes get munged so I’ll try this.

    @Emilio wrote: Obviously there is no working security concept at wordpress.org

    Uh huh. Right. Gotcha.

    https://developer.wordpress.org/plugins/wordpress-org/plugin-security/reporting-plugin-security-issues/
    https://wordpress.org/about/security/
    https://hackerone.com/wordpress

    @Emilio wrote: Current approach with “security by obscurity” by silently hiding vulnerable plugins so hackers won’t notice is a) irresponsible and b) completely wrong.

    That’s not “security by obscurity” and your comment is why I wrote this.

    Jan Dembowski wrote: It’s easy to say something is inadequate without proposing a working solution. It’s quick to comment about that and the indignation and righteous outrage sure is gratifying isn’t it?

    I’m not trolling you or anyone but please try to make informed comments.

    Dan Feidt (hongpong) wrote: But we cannot speak of “responsible disclosure” without addressing the fact that delisting plugins is not publicly conveyed to everyone.

    I am not on the plugins team (I am a forum moderator) and I do not necessarily disagree with you. The de-listing of plugins is more often than not for other reasons having nothing to do with security. The current process is a compromise and it’s changing all the time to improve.

    But again, this post isn’t about responsible disclosure. John’s actions are not about that at all. It’s a temper tantrum and when he posts this in the forums:

    John Grillot in the forums: If you have a problem with this type of full disclosure please contact the leadership of WordPress and let them know that the moderation of this forum needs to be cleaned up, since that is how these full disclosures will end.

    He’s really saying this:

    John Grillot (translated) in the forums: I will keep shooting the hostages one at a time until my demands are met.

    There’s no other rational way to read that. This is not a debate about how to disclose vulnerabilities in a responsible way. It’s a malicious disclosure in a blatant attempt to force people to permit his behavior that flat out is not allowed by anyone in the forums. The whole “moderation of this forum needs to be cleaned up” is just his gaslighting.

    That is his intent and that matters. His statement isn’t “I fight for the users” it’s about getting air time and coverage.

    Report

Comments are closed.