One of the ways we are able to provide our customers with better information on vulnerabilities in WordPress plugins than our competitors is by monitoring the WordPress Support Forum for topics related to that. In addition to information useful for that, it alerts us to other mentions of security. Through that, we often find the moderators of that forum spreading misinformation to the WordPress community related to security. One such instance of that came over the weekend when a moderator, Yui, wrote this:

Otherwise, please note, there are no plugins with known unfixed vulnerabilities that remain active in WordPress plugin directory.

That is a definitive statement backed up with nothing. It seems contradicted by what they wrote right before that:

I have removed your review.
If you know any unpatched vulnerability in this plugin, then report it to plugins team using this guide: https://developer.wordpress.org/plugins/wordpress-org/plugin-security/reporting-plugin-security-issues/

If there are “no plugins with known unfixed vulnerabilities that remain active in WordPress plugin directory”, then there shouldn’t be anything to report to them.

The larger issue with that claim is that it isn’t close to true. Late last month we discussed a situation where there was a plugin that remained in the Plugin Directory for over two years after being known to be vulnerable. That was eventually closed, but this is an ongoing issue, as based on what is in our dataset, there are currently plugins with at least 6.48 million installs in the Plugin Directory despite being known to be vulnerable.

For plugins with 3.78 million installs, we know that team running the Support Forum, which is headed by one of the two people running the Plugin Directory, knows about them. Recently, when the person running those two things, Samuel “Otto” Wood, claimed that wasn’t the case, we pointed to a plugin that we ran across a serious vulnerability because it look liked hackers were already targeting that. That plugin has been known to be vulnerable since at least April 5, when we warned about it, and yet it remains in the directory, even after he was directly notified of that.

What makes a false claim like that from the moderators much more problematic is that they have a history of deleting information that disagrees with what they believe, so you end up with only being able to get their misinformation.

We used to make sure that known vulnerable plugins didn’t remain in the Plugin Directory, but we suspended doing that because ongoing problems with WordPress’s handling of security, one of those problems being the mess created by the moderators of the forum.