WordPress Plugin Review Team Adds 6 New Sponsored Volunteers, Opens Applications 

A new era has begun for WordPress.org’s Plugin Review Team. Mika Epstein, who has served for the past decade, is stepping down, but not before launching a new crew of volunteers.

The team is responsible for approving newly submitted plugins, maintaining the Plugin Reviewer Handbook, as well as investigating any reported security issues and guideline violations.

Historically, the Plugin Review team has had very little turnover, but a new crop of six sponsored volunteers will be contributing an estimated 50+ hours per week. The new members include David PérezEvan HermanFrancisco TorresLuke CarbisMarta Torre, and Paco Marchante. Their efforts are already in demand as they work to tackle a large backlog of plugins.

“Given the nature of the work the team does, joining this team is a little different than some of the others: each new member will go through a vetting process by current team members before being selected,” Epstein said. “Some of the things the team is looking for are: a solid track record as a plugin developer; the ability to communicate clearly, kindly and constructively – both with other developers and users; interest in improving tools and processes; and excellent collaborative and conflict-management skills.” 

Epstein is encouraging more volunteers to apply, if they have at least five hours per week to devote to the team, as they could still use more help. Prospective team members can submit an application, which will be evaluated by current team members. Applicants will be required to send examples of plugins they have coded to demonstrate their experience, provide references, and detail some of their contributions to the project.


2 responses to “WordPress Plugin Review Team Adds 6 New Sponsored Volunteers, Opens Applications ”

  1. Is “little turnover” being used as a euphemism there? There was little turnover because for years, the 4 people on the team were not even allowing anyone else to apply to join the team. The team was obviously undersized, which is further confirmed by a need for even more members after replacing 1 member with 6 new members. Unfortunately, WordPress doesn’t yet have a governance structure that can address problematic behavior, like has occurred with this team in a timely manner, and instead it took a decade for a change.

    Hopefully, the new members of the team will make changes to avoid the problematic behavior of the team up until this point. A good start would be to be more transparent in the reviews of new plugins, similar to what the theme team already does, https://themes.trac.wordpress.org/. In the past, it was pretty clear that some of the reviews were not really happening, but there was no way to see who was supposed to have done the reviews that appeared to have not happened.

    The new team members don’t look to have much security expertise, so it would be great if they would reach out to the WordPress security community to work with them to address some of the security problems the team up until this point has refused to work with others to address.

    • We were curious to see what, if any, security expertise the new team members had, since the team needs more of that. In looking in to that, what we found instead are a couple of issues that raise concern about the change in the team members. Those issues involve the plugin tied for the second most popular coming from the new team member, Easy Forms for Mailchimp.

      The first issue is that while the ownership of the plugin changed hand to the team member 9 months ago, the old developer is still listed as being the developer. New developers failing to disclose ownership changes of plugins in the Plugin Directory has been a known issue for some time and it is a security concern. To have a new member of the team not having addressed that issue before being allowed to join the team is troubling.

      More troubling is that the plugin contains easy to spot vulnerabilities caused by a lack of basic security. Those security issues should have been caught by a minimal security review of the plugin. That they are still there raises questions about what vetting was done of the new members and whether they have the expertise to be handling security portion of their role.

      More details of what we found are at https://www.pluginvulnerabilities.com/2023/07/05/issues-with-plugin-from-new-wordpress-plugin-review-team-member-raises-fresh-concern-about-team/


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: