WordPress Support Forum Moderator Jan Dembowski Falsely Claims That No One Figures Out What Versions of Plugins Are Vulnerable
When it comes to the mess that is the moderation of the WordPress Support Forum that has led to us full disclosing vulnerabilities until it is cleaned up, one of the most problematic moderators is someone named Jan Dembowski who we frequently run across getting things incredibly wrong (in some cases taking different sides on issue in different instances and each time managing to be on the wrong side). So it wasn’t surprising to see them getting something wrong when it comes to someone looking for help related to the vulnerability in Easy WP SMTP that has been widely exploited. The person looking for help wrote this:
Hi,
From which oldest version of EasySMTP the 0-day vulnerability is affected that is no patched with 1.3.9.1?
Also I really hate that there is no dates on released version of EasySMTP, as we had worked with bunch of companies in 2016 when we used EasySMTP for them.
The response from Jan starts:
I’ve removed the tag “0-day” as that term is mistakenly used too often.
While the term is often misused (and probably more accurately abused) by companies like the one behind the Wordfence Security plugin, this is an instance where it would seem to be accurate as the discoverer of the vulnerability NinTechNet wrote this about it:
The vulnerability, found in version v1.3.9, has been exploited by hackers since at least March 15, and was caught by our Web Application Firewall for WordPress, NinjaFirewall (WP Edition).
The vulnerability was fixed on March 17.
A zero-day vulnerability is one that is being exploited before the developer knows about it, so unless the developer knew about it before March 15, this was a zero-day.
What Jan gets very wrong is this though:
No one is going to dive into the old code and confirm or test.
That is exactly what we do with every vulnerability we add to our data set (it isn’t like this person isn’t aware of us, but they don’t seem to pay much attention from what we have seen).
In this case though you don’t have to do much diving as the changelog for the version this was fixed in is:
Fixed potential vulnerability in import\export settings.
One of the changelog entries for the previous version is:
Added Export\Import settings functionality.
In actually dive in to the code you will find the same thing, this vulnerability was added in version 1.3.9 of the plugin.
The previous version was released on March 3, so it took hackers less than two weeks to find and exploit it.
There is another related vulnerability that existed in previous versions of the plugin though, so another Jan’s recommendations would seem like a good idea:
if you or anyone is using a version less than 1.3.9.1 then assume you are vulnerable
But there is a problem with that as well, as the current version of the plugin is also publicly known to be vulnerable, which one of the of the moderators of the Support Forum decided to hide from the developer when we tried to notify them of it as part of our full disclosure of it.
I’d have to completely agree. Jan Dembowski recently has bullied WordPress.org account holders, locked user accounts for no reason other than him disagreeing with a review posted. This idiot has gone way overboard and should be removed from WordPress.org .. He has some serious mental issues going on by the way he is moderating the support forums.
Jan Dembowski has been rude to me as well. Letting snarky comments from other members fly but locking my account and sending me a very passive aggressive and rude follow up. WordPress support has never been great, but it used to be at least somewhat friendly. I’m amazed that someone with such an obvious attitude problem has managed to get herself into such a position in as big a project as WordPress.
it’s sad that once they got big they’ve become such an inhospitable and rude place. 🙁
This idiot flagged my account temporarily.
I tried installing Baqend Speed kit as I was (very briefly) considering purchasing the plesk version of the plugin. I checked the reviews before installing it and found it a bit weird that there were no reviews since November 2018, but installed it anyway.
The plugin asks for an email address to activate the account, however, on entering the email address, it asks for a valid email. Considering that this is a plugin released by Baqend, and not a single developer, and was released in 2017 (ver. 1.13.1) I found it odd and uninstalled it.
I left a review for the plugin (1 star) with the title ‘Cannot install it’ with a description and a screenshot. Jan Dembowski removed my review stating
“@[retracted] I have removed your review. Please do not use the review section for support.”
Pissed off that they are blatantly removing negative reviews, I re posted another review with the title ‘They are removing negative reviews (THIS IS NOT A SUPPORT REQUEST)’ with another explanation and screenshots, explaining that it makes sense why there are no reviews for the plugin since November 2018, starting and ending the description with ‘MODS: THIS IS NOT A SUPPORT REQUEST’
Within hours, Jan Dembowski replied with the following:
“Yeah, it is. Your account is now flagged for moderation.
@[retracted] I have removed your review and flagged your account temporarily. That just means that your post will need to be approved and @ notifications from you will not work. Please do not use the review section for support.
If you need support then please raise a support topic.”
That led me to searching for Jan Dembowski online, which led me to this site, which was a pleasant surprise as I only recently found about this site a few days ago, and if I’m not mistaken, I left a comment as well (which I almost never do).
Jan Dembowski, in my opinion, is a power hungry keyboard warrior, and if people like him are moderating WordPress, the newcomers really have no chance at learning about and meeting the wonderful and helpful community of WordPress.
Thank you for creating this site, and thank you for the articles, I have learnt a lot from your site. And Jan Dembowski, if you are reading this, F*** you.
I completely agree, see my comment below
i had only given a google plugin two stars and written what to change so they would get more than 2 stars. they had changed it quickly and i raised my rating to 5 stars. 2 days later i get an email from jan dembrowski that i was blocked ‘because of blackmail’ and the thread is deleted. is this guy sick in the head?
Jan Dembowski wrote:
I have removed your review and flagged your account temporarily. That just means that your post will need to be approved and @ notifications from you will not work.
Here’s why.
=> then you’ll get more then 2 stars
No, that’s not cool. Do not use the reviews to extort support.
If you need to contact the moderators about this then you can do so via the Slack #forums channel.
After the 3rd or 4th run in with Mr. Dembowski I Googled “Jan Dembowski idiot” and landed on this page! Hahaha
As a plugin developer, I do agree with the rule that one shouldn’t use the reviews section for support queries. It’s a sucky move. If something isn’t working, ask for support first, and if that doesn’t get you further, sure, write a review.
Regardless, I agree with the sentiment that Mr. Dembowski is a power hungry keyboard warrior. If the moderators are supposed to lead by example, then his toxic behavior on the forum only helps those that’re already planning to troll and be disrespectful to the plugin developers.
I was banned from the WP forums for ‘spamming’ the tags. When I argued I didn’t abuse anything the ban reason suddenly changed to banned for not replying to his message (because I wasn’t on the forum for 9 months).
He ONLY wanted me to bend over and kiss his dirty ass:
“If you do want your account to be re-enabled in the forums then read and reply that you agree to comply with the forum guidelines.
https://wordpress.org/support/guidelines/
The guidelines are not up to your interpretation and if you choose to continue arguing then there will be no further reply to your emails.”
Fact is I DID comply to the guide lines!! I didn’t do ANYTHING wrong according to the guide lines. He invented several new rules of his own along the way to make it look like I violated something. So I got banned for not bending over and complying to his personal rules.
He IS a power hungry moron!!!
Entire story here: https://dontfuckwithdaddy.com/arrogant-wordpress-forum-admin/