One of the ways that we keep track of publicly disclosed vulnerabilities in WordPress plugins for our customers is by monitoring the WordPress Support Forum for relevant messages, over the weekend that notified us to a reply related to the plugin Related Posts:

@anevins but it’s been posted since 2 weeks and a few days ago and there isn’t any news from author. while it’s obvious where the hacker exploited the plugin it should take this long to fix it.

Looking at that today, the plugin is still closed down despite a vulnerability in that plugin being widely exploited starting on April 9 or 10. The developer submitted a new version of the plugin that fixed the vulnerably on April 10 (and submitted another new version with additional related security improvements the next day), but that still hasn’t been made available weeks later.

That person being at-replied in that, Andrew Nevins, is one of the moderators of the Support Forum and they wrote this back:

2 weeks isn’t long when you consider the author is volunteering their spare time to fix the issue

That doesn’t make sense, since the developer already submitted a fix, but one of the frequent problems we have seen with the moderators is that they don’t seem to be concerned with avoiding making claims related to topics they don’t understand (which causes further problems when they can’t handle someone disagreeing with them).

The comment also doesn’t make sense since the developer is selling a pro version of the plugin, which clearly is receiving sales since the next reply in the topic is this:

A roadmap can be useful to everyone!
I bought the pro version only two days before hacking
I’m working on a new website (opening 3rd week of may) …

Waiting or searching another plugin ??

The situation with the plugin gets worse when you consider that we publicly warned about that vulnerability on March 30, so there was plenty of time for it to be fixed before the exploitation even started. In situations where the developer isn’t promptly fixing vulnerabilities likely to be exploited we have repeatedly offered to provide fixes, so in a situation like this isn’t like the team running the Plugin Directory would not have had a difficult time making sure a fix was released before that, but they have shown no interest in that or avoiding situations like this in general.

We had spotted the vulnerability because we started checking to see if popular plugins (this one had 60,000+ installs when closed) that were close contained security vulnerabilities, since we had seen that hackers were already likely doing that. So the Plugin Directory team closing the plugin without a publicly disclosed vulnerability actually brought attention to the vulnerability and having it continued to be closed isn’t helping.

While this vulnerability got coverage, it seemed focused on criticizing us for publicly warning about it, not on the fact that it hadn’t been fixed despite it being publicly known well before it was exploited. Now that over two more weeks have gone by are security journalists going to finally focus on what is actually amiss here?