We are now over a year into a largely new team running the WordPress Plugin Directory. On one key issue, the new team is failing just like the old team. That is allowing known vulnerable plugins back in to WordPress Plugin Directory without the vulnerability being fixed.

This time the plugin is OSM, which has 10,000+ installs.

Looking at the support forum for the plugin, you can see the most recent topic for the plugin is from July, with someone asking if the plugin would return and mentioning that they are getting security warning about that. There are four previous topics asking about publicly disclosed security vulnerabilities dating back to July of the previous year.

There are multiple claims of vulnerabilities in the latest version of the plugin. One that we have confirmed is really a vulnerability and unfixed, was disclosed by an arm of Automattic, the company that more and more controls WordPress. They are also listing what appears to be the same vulnerability again in their data. (That Automattic arm, WPScan, isn’t all that concerned about properly vetting their data.)

If you point out a problem with WordPress, the frequent response is why aren’t you doing something about it? We have tried in various ways to help the team with this issue going back many years and alert others who are sponsoring team members, about the problem. None of that has worked. In December, after years of avoiding the team directly again because of their complete lack of ability to act professionally or appropriately, we made an attempt to work with the new Plugin Review Team after noticing another instance of the issue. We got a series of dishonest and sometimes incoherent responses to that. We then tried to address that additional problem with WordPress Incident Response Team, but never even got a response.