On October 29th we detailed a vulnerability that had been fixed in the plugin AMP for WP – Accelerated Mobile Pages and started warning our customers if they were using a vulnerable version. What made this problematic was that while there was a fixed version available, since the plugin was closed, people could not use the normal update process in WordPress to update to it (though we were available to help our customers do that).

The lack of the ability to update was a serious issue as on November 5, when the plugin was still closed, we noted this:

A week ago we put out a Vulnerability Details posts with the details of a vulnerability in the plugin AMP for WP – Accelerated Mobile Pages, which had been closed on the Plugin Directory recently, so if you were already customer of our service and using that plugin you would have been warned about that particular issue, as well as the general poor security of the most recently released version of the plugin. It looks like hackers are aware of that as well now, as yesterday we had a series of requests requesting files from the plugin that looked to be probing for usage of it:

• /wp-content/plugins/accelerated-mobile-pages/readme.txt
• /wp-content/plugins/accelerated-mobile-pages/README.md
• /wp-content/plugins/accelerated-mobile-pages/templates/custom-amp-content-
• button.js
• /wp-content/plugins/accelerated-mobile-pages/languages/how-to-use-a-pot-file.txt
• /wp-content/plugins/accelerated-mobile-pages/LICENSE

The series of requests came from web servers in several different locations around the world and from Chinese telecom providers.

According to data from abuseipdb.com, others had requests of the same type several days before.

That brings us to a rather stunning claim made today by Samuel “Otto” Wood, who is one of the six members of the team running the WordPress Plugin Directory, the person in charge of the moderation of the WordPress Support Forum, the “WordPress.org Admin”, and an employee of Matt Muellenweg. He wrote this in a reply to someone complaining about how the closure of a plugin was handled:

To everybody else: most of the time when a plugin is delisted, it is not for a security issue. Taking pre-emptive measures like removing the plugin just because it was delisted is never really necessary.

Someone taking pre-emptive measures related to AMP for WP – Accelerated Mobile Pages could have avoided being hacked, while Mr. Wood and others on the WordPress side of things left them open to being hacked by not making the new version that fixed the vulnerability available in a timely manner.

This isn’t the first time recently Mr. Wood has at best been unconcerned about protecting websites from being hacked due to vulnerabilities in WordPress plugins. Numerous websites recently were hacked due to a vulnerability in the plugin WP GDPR Compliance, one that was already fixed at the time of the mass exploitation. What could have helped to protect a lot of those websites would have been to force out the update, which didn’t happen. Mr. Wood is seemed to not even consider that things should be changed when it comes to handling force updates in light of what happened there and didn’t respond to our challenging that view.

If you want to go further back over two years ago a reply of ours to him on the WordPress Support Forum related to the poor handling of unfixed plugin vulnerability was deleted instead of him being able to discuss why he and others on the WordPress side of things were leaving websites open to being hacked instead of even considering changing course to avoid that.

It is truly hard to understand what could possibly being going through the minds of the people on the WordPress side of things as they continually refuse to be willing to even consider that things are amiss. What makes this so unfortunate is that fixing the problems on their end wouldn’t be hard, it just takes a willingness from them to work with others, like us, to get them fixed.