According to WordPress’ security page, their security team can provide fixes for severe vulnerabilities in WordPress plugins. When they would do that is almost entirely opaque, as they say “if the vulnerability is severe, the plugin/theme is pulled from the public directory, and in some cases, fixed and updated directly by the Security Team.” We keep running into situations where that isn’t happening, when it should. The latest incident involves an arbitrary file upload vulnerability in the plugin Frontend Admin that was publicly, but vaguely, claimed to have existed on December 27. It took until January 4 for the plugin to be closed on the WordPress Plugin Directory. No update has been provided, despite the ease of providing a fix, as we will show. We have offered for years to provide fixes to WordPress in situations like this, without them taking up the offer.

Despite the already public claim it contained a serious vulnerability, WordPress isn’t warning that the plugin is vulnerable, instead only saying on the listing for the plugin that “This closure is temporary, pending a full review.”: [Read more]