What continues to be one of the worst aspects of dealing with the security of WordPress plugins is that it would be so easy to get to a much better situation, if not for the people that Matt Mullenweg, the head of WordPress, has empowered to run the WordPress Plugin Directory. There are easy changes that could be made, but don’t happen because of them. One of them has been impacting 30,000+ websites using the plugin WP DSGVO Tools (GDPR).

A Recipe for Bad Results

You can tell that something is very amiss with the team running that directory when you see that there are only claimed to be four people on the team. By comparison, the team running the theme directory has 10 people listed being listed as being Team Representatives and Theme Moderators (presumably there are more people below that level). The theme directory is listed as currently having nearly 9,000 themes, while the plugin directory is listed as having about 59,000 plugins, so you would expect the plugin team to be larger, not smaller. It isn’t for a lack of interest, instead they claim they can’t add more members:

Though at the same time they are saying they can add new members, but curiously, by invitation only:

In the time that they have claimed they couldn’t add new members, several members have come and gone.

Having such a small group of people with the amount of power they have, especially without any check over them, is troubling, and greatly increases the changes of problems, if not outright misuse or abuse. Making things worse, that team now not only operates largely in secret, but anonymously (some of the comments in response to their announcement of that give you an idea of what is going wrong with that team). It all sounds a lot like a star chamber and it seems like a recipe for bad results, but before we get to an example of that, things get worse in terms of the team.

What appears to have gone on is that the WordPress Plugin Directory has become the fiefdom of two of the members, Mika Epstein and Samuel “Otto” Wood. Having those people in control of that is problematic, as both of them seem to be unwell. Among the many issues we have run across in limited cross of paths with them, one of them appears to be a fabulist and the other believes that “magic wizards” discover exploitable vulnerabilities. Samuel “Otto” Wood works directly for Matt Mullenweg, so he must have some idea who has empowered there.

Not Making Updates Available

Monday of last week the plugin WP DSGVO Tools (GDPR) was closed on the WordPress Plugin Directory. Because of its popularity, our systems alerted us to the closure and we checked to see if the plugin might contain a vulnerability that we should warn customers of our service about. Two days later, we publicly warned about a vulnerability in the plugin that is a type that, as we put in our headline, “hackers target”.

We full disclosed that vulnerability as part of a protest of the continued inappropriate behavior of the moderators of the WordPress Support Forum. Not only have both Mika Epstein and Samuel “Otto” Wood engaged in that type of behavior as moderators, but Samuel “Otto” Wood has been the person you are supposed to go to if there is a problem with a moderator (despite being a moderator) and he apparently has chose most of the members. Having the team running the plugin directory having the ability to shut down discussions about it on the support forum (as has happened), makes the problematic nature of the running the plugin directory even worse.

Even if we were not doing full disclosures, in that situation we would need to quickly disclose the vulnerability. As there is a reasonable possibility that a hacker could discover it and we have no way of knowing when it will be reopened, so we would need to promptly warn our customers. We always warn the public at the same time we warn our customers, since we can’t assume that hacker won’t know about them once we warn our customers (hackers have tried to sign up for our service). (Another provider, by comparison, keeps the public in the dark about vulnerabilities, while providing information on them to anyone willing to pay them, including any hackers.)

At the point we disclosed the vulnerability the team running the WordPress Plugin Directory should have stepped in to action, but they didn’t. If the developer couldn’t quickly resolve it, they should have. We have offered to help them with that for years, but they haven’t taken up that offer or other’s offers to help them. Instead, the vulnerability wasn’t resolved until after a hacker had started exploiting it days later and it appears that team might not have informed them about the vulnerability either.

The team should better handle things, since we are not the only ones that are disclosing serious unfixed vulnerabilities. Last week someone posted exploit code for an unfixed vulnerability that hackers would be likely to target and shortly after that, we started seeing hackers probing for usage of it. (No fix has been made available for that.)

While the vulnerability was resolved, those using the plugin are not being provided the update to fix it, as the plugin is still closed and receiving more security updates. While making the plugin more secure is a good idea, it doesn’t make sense not provide the update to fix the more serious vulnerability in the meantime.

It seems like a good way to handle this is to provide those already using the plugin with an update, while not reopening the plugin. And that brings us back to the problem with relying on Mika Epstein and Samuel “Otto” Wood to run the WordPress Plugin Directory, as the team has the capability to do that, but doesn’t use it. We know they have it and it works, since we ran across an instance where they accidentally used it over two years ago. Four years prior, Mika Epstein stated that they had the capability.

So there is any easy change here, that for years hasn’t been made, despite the benefit it could have. And yet Mika Epstein and Samuel “Otto” Wood are allowed to continue to run the WordPress Plugin Directory.