Login

Tag Archives: Otto

28 Sep 2021

Mika Epstein and Samuel “Otto” Woods Block 30,000+ WordPress Websites From Getting Critical Security Update

What continues to be one of the worst aspects of dealing with the security of WordPress plugins is that it would be so easy to get to a much better situation, if not for the people that Matt Mullenweg, the head of WordPress, has empowered to run the WordPress Plugin Directory. There are easy changes that could be made, but don’t happen because of them. One of them has been impacting 30,000+ websites using the plugin WP DSGVO Tools (GDPR).

A Recipe for Bad Results

You can tell that something is very amiss with the team running that directory when you see that there are only claimed to be four people on the team. By comparison, the team running the theme directory has 10 people listed being listed as being Team Representatives and Theme Moderators (presumably there are more people below that level). The theme directory is listed as currently having nearly 9,000 themes, while the plugin directory is listed as having about 59,000 plugins, so you would expect the plugin team to be larger, not smaller. It isn’t for a lack of interest, instead they claim they can’t add more members: [Read more]

31 Jul 2019

There is a CSRF Vulnerability in a WordPress Plugin with 80,000+ Installs Developed by One of The Six People Running the Plugin Directory

A core problem with the handling of the security issues with WordPress plugins is the team running the Plugin Directory, who have shown themselves not to be up to task of handling the role they are in. Part of that involves an inability to work with others to fix the problems the team are causing. That seems in part due to a belief they have capabilities they don’t. You can get a taste of that from the bio for one of the members that reads in part:

Fundamentally, I started using WordPress because I was bored at work. So I started messing around on the forums, reading questions, finding the answers by reading the code, and then by answering the questions for others. Do that for a year and you will know everything there is to know about the code. [Read more]

22 Apr 2019

WordPress Believes That Leaving Millions Of Installs of Plugins Vulnerable To Publicly Known Vulnerabilities Is “Appropriate Action”

If you want to better understand what is amiss with the moderators of the WordPress Support Forum, which seems to go a long way to explain the inappropriate behavior that led to us starting to full disclose vulnerabilities in plugins and only notify the developer of the plugin about the disclosures through the forum until that is cleaned up, looking at their response to that protest seems instructive.

Back in December we got contacted by one of the moderators on Twitter and they started the conversation with: [Read more]

16 Apr 2019

Why Is Samuel “Otto” Wood Making Claims About Us That Don’t Match Reality?

When it comes to our full disclosure of vulnerabilities in protest of the continued inappropriate behavior of the WordPress Support Forum moderators we are certainly not above being criticized and any protest should be expected to have critics, but what we have found is that people are frequently criticizing us for things that are not close to true. For example, today during an email conversation with a developer of a plugin who incorrectly believed we had falsely claimed their plugin contained a vulnerability (and threatened to sue us over that) they wrote this in regards to our reason for full disclosing that vulnerability:

To further your pity party about yourself and being banned from WordPress. [Read more]

15 Apr 2019

Samuel “Otto” Woods Believes That “Magic Wizards” Discover Exploitable Vulnerabilities in WordPress Plugins

When it comes to problems with the moderation of the WordPress Support Forum that led to us beginning to full disclose vulnerabilities until that inappropriate behavior is cleaned up there has been a continuing strange situation where people are mixing up cause and effect, somehow believing that we started our protest because we were banned from the Support Forum for our protest, which obviously makes no sense. The person that seems to at the heart of that mix up is the person in charge of the moderation of the Support Forum, Samuel “Otto” Wood, who also believes that “magic wizards” discover exploitable vulnerabilities in WordPress plugins.

In the comments of Ars Technica’s hit piece about us he commented and mixed things up again: [Read more]

30 Mar 2019

WordPress Plugin Team Paints Target on Exploitable Settings Change Vulnerability That Permits Persistent XSS in Related Posts

When we announced a protest of the continued inappropriate behavior of the WordPress Support Forum moderators, one of the changes we suggested to resolve that was:

Don’t post on things they don’t understand. This really ties into the last item since you often have moderators providing people incorrect information and then they appear to not be able to handle that someone provides information that disputes that, leading to accurate information being deleted. [Read more]

30 Nov 2018

Samuel “Otto” Wood Keeps Making it Seem Like He Wants WordPress Websites to Be Unnecessarily Hacked

On October 29th we detailed a vulnerability that had been fixed in the plugin AMP for WP – Accelerated Mobile Pages and started warning our customers if they were using a vulnerable version. What made this problematic was that while there was a fixed version available, since the plugin was closed, people could not use the normal update process in WordPress to update to it (though we were available to help our customers do that).

The lack of the ability to update was a serious issue as on November 5, when the plugin was still closed, we noted this: [Read more]

5 Nov 2018

The WordPress Forum Moderators Keep Bizarrely Deleting Replies Just Saying Thank You

Where we first saw indications that something was very amiss with the moderation of the WordPress Support Forum was when a reply from someone just thanking us for answering a question they had, was deleted. It didn’t make any sense to delete that and went against what people were being told as to the limited circumstances that things would be deleted from the forum:

When a post is made and people contribute answers to an issue, that then becomes part of the community resource for others to benefit from. Deleting posts removes this added value. Forum topics will only be edited or deleted if they represent a valid legal, security, or safety concern. [Read more]