A security service called Plugin Vulnerabilities, founded by John Grillot, is taking a vigilante approach to addressing grievances against WordPress.org support forum moderators. The company is protesting the moderators’ actions by publishing zero-day vulnerabilities (those for which no patch has been issued) and then attempting to contact the plugin author (more…)
Over the weekend, Pipdig, a small commercial theme company, has been at the center of a scandal after multiple reports exposed a litany of unethical code additions to its Pipdig Power Pack (P3) plugin. On Friday, March 29, Wordfence threat analyst Mikey Veenstra published a report with code examples of (more…)
In this episode, John James Jacoby and I are joined by Sandy Edwards. Sandy gave us a behind the scenes look at what it takes to organize a WordPress event for children and teens. She also provides background information on a new group that’s been formed called the Kids Events (more…)
WordPress 5.1.1 was released yesterday evening with an important security update for a critical cross-site scripting vulnerability found in 5.1 and prior versions. The release post credited Simon Scannell of RIPS Technologies for discovering and reporting the vulnerability. Scannell published a post summarizing how an unauthenticated attacker could take over (more…)
Freemius, a monetization, analytics, and marketing library for WordPress plugin and theme developers, patched an authenticated option update vulnerability in its wordpress-sdk four days ago. The library is included with many popular plugins, such as NextGEN Gallery (1,000,000+ installs), 404 – 301 (100,000+ installs), WP Security Audit Log (80,000+ installs), (more…)
Bootstrap has released versions 4.3.1 and 3.4.1 to patch an XSS vulnerability (CVE-2019-8331) that was reported to the Bootstrap Drupal project by a developer and then responsibly disclosed to the Bootstrap development team. The vulnerability specifically affects usage of the tooltip and popover features: Earlier this week a developer reported (more…)
WPBrigade, the developers behind the Simple Social Buttons plugin, have patched a critical privilege escalation vulnerability. The security issue was discovered by the team at WebARX. Developer and researcher Luka Šikić summarized the vulnerability in a post published this week: Improper application design flow, chained with lack of permission check (more…)
Over the weekend, many WPML customers received an unauthorized email from someone who claimed to have hacked the company’s website and gained access to customer emails. WPML founder Amir Helzer suspects that the attacker is a former employee. “The customer is an ex-employee who left an exploit on the server (more…)
On Saturday, January 19, WPML customers started reporting having received an email from someone who seems to have hacked the plugin’s website and gained access to customer information. Got same mail and there is this text on #wpml website visible now. What happened guys? #security #hack #vulnerability #0day or something? (more…)
At the end of last week, a plugin called WP GDPR Compliance sent out a security update for a privilege escalation vulnerability that was reported to the WordPress Plugin Directory team on November 6. The plugin was temporarily removed and then reinstated after the issues were patched within 24 hours (more…)
In this episode, John James Jacoby and I spend the first half of the show discussing WP Engine’s acquisition of StudioPress. We share reactions from social media, debate on whether it’s a good or bad thing for the WordPress ecosystem, and webhosts being at the top of the food chain. (more…)
In this episode, John James Jacoby and I are joined by Jack Lenox, Software Engineer at Automattic, to discuss his new project, SustyWP. Lenox explains how he built the site so that it only has 7KB of data transfer, what sustainability on the web means to him, and the relationship (more…)