In a now deleted review of the WordPress plugin Beautiful Cookie Consent Banner, someone made the claim that the plugin is insecure and leading to malware:
The plugin is full of malware. Check your source code and run a security check. If you have malware, its this plugin!!! [Read more]
Recently, we mentioned that the moderation of the WordPress Support Forum seemed to be moving in a better direction, but things still were not in great shape. We noted yet another problem last week. In the latest instance, we noticed they removed a negative review of a company that the moderators have frequently promoted.
One of the problems with the reviews of WordPress plugins on the WordPress website, which falls under the support forum’s moderators purview, is that they often are not reviews of plugins at all, but of paid services connected with them. That often is rather unhelpful. For example, many five-star reviews of a security plugin touting how responsive the paid support is, doesn’t help to determine if the security plugin actually provides the protection it claims to. The justification given for allowing this is: [Read more]
The moderation of the Support Forum for WordPress has long been a mess. That is particularly true when it comes to security. Part of the problem is that it isn’t possible to abide by the rules. There are stated rules and then there are unstated rules, both of which the moderators sometimes enforce and sometimes don’t. So you can end up getting in trouble while abiding by what appears to be the rules. Making things more problematic, the moderators don’t even always tell people what they are supposed to have done wrong. The moderators seem to be able to do whatever they want and they have in the past changed the rules when it was pointed out they were violating them.
Last month, the Support team’s meeting summary noted a change in the handling discussions of plugin vulnerabilities: [Read more]
One of the ways we are able to provide our customers with better information on vulnerabilities in WordPress plugins than our competitors is by monitoring the WordPress Support Forum for topics related to that. In addition to information useful for that, it alerts us to other mentions of security. Through that, we often find the moderators of that forum spreading misinformation to the WordPress community related to security. One such instance of that came over the weekend when a moderator, Yui, wrote this:
Otherwise, please note, there are no plugins with known unfixed vulnerabilities that remain active in WordPress plugin directory. [Read more]
Yesterday we noted how a moderator of the WordPress Support Forum was getting in the way of people looking for help dealing with the exploitation of a fixed vulnerability in the plugin Simple 301 Redirects – Addon – Bulk Uploader. Today, when we went back to the topic that was the source of that post we found that many of replies on that topic, including almost of all the ones we had quoted, had been removed. In total, only 3 of the previous 11 replies remained. Some of those removed pointed out how what the moderator was doing was bad for the WordPress community. The moderators replies were also removed. You can see the replies at that time of previous post here and what is there at this moment here. That is in line with the kind inappropriate behavior by those moderators we have seen for years and had led to us starting a protest against it nearly a year ago.
You can get a better understanding of the mess that is moderation and related poor handling of the Plugin Directory from the message left earlier today by a moderator, Ipstenu (Mika Epstein), who also leads the six person team running the Plugin Directory (with our commentary inserted): [Read more]
When vulnerabilities in WordPress plugins get exploited a lot of those impacted don’t have a good understanding of what is going on. One example we have seen frequently with recent instances of that is that people get confused in to believing that the version that fixes the vulnerability instead contains malicious code that is causing the result of their website already having been hacked. That seems in part because they don’t understand that the new version doesn’t undo what the hackers have already accomplished. The best approach for people in that situation would be to hire a professionals like us to clean the website, since we can help to explain what is actually going on and make sure the issue has been fully resolved. The next best would be for people to discuss it on the support forum for the plugin, but as has happened with the plugin Simple 301 Redirects – Addon – Bulk Uploader that runs in to the problematic moderators of the WordPress Support Forum.
In a recent topic for the plugin someone asked a reasonable set of questions: [Read more]
On Wednesday Sucuri disclosed a settings change vulnerability that leads to a persistent cross-site scripting (XSS) they had discovered in the WordPress plugin WP Live Chat Support after it was partially fixed earlier that day. That same day we warned our customers about that vulnerability. As we noted yesterday morning when disclosing another vulnerability in the plugin, the vulnerabilities they discovered were likely to be exploited soon. Yesterday we had what looked to be a hacker probing for that plugin on our website (and probing for several other plugins), so we expected that it wouldn’t be long until the public reports of it being exploited would crop up.
As of few hours ago a topic on the WordPress Support Forum started up with people discussing that they had been hacked and trying to understand what was going on. Like clockwork the moderators of the Support Forum started causing problems. Numerous replies have been deleted, many of them without any apparent reason, and then the topic was closed. One of the moderators we have frequently seen causing problems (and someone that we are not the only ones to believe they have serious issues, which should probably preclude them from being in that role), explained the closure this way: [Read more]
One of the strange issues we have seen for years when it comes to the moderators of the WordPress Support Forum is them not understanding at all what disclosing a vulnerability is. That has even occurred with the person that is in charge of the team running the Plugin Directory, who certainly should have understood what is and isn’t disclosure of a vulnerability since they deal with vulnerabilities on a regular basis. That continues to be a problem. The latest instance involved a review of a plugin we mentioned yesterday in the context of people failing to keep their plugins up to date, which would have prevented them from being hacked. One of the reviews we cited part of, reads in full:
DO NOT USE THIS PLUGIN
This plugin left my company website vulnerable to an XSS attack on May 04, 2019 that caused visitors to be redirected to malicious spam websites. The issue was confirmed by multiple people, including WebARX Security. Excerpt from the WebARX writeup: [Read more]
One of the ways that we keep track of publicly disclosed vulnerabilities in WordPress plugins for our customers is by monitoring the WordPress Support Forum for relevant messages, over the weekend that notified us to a reply related to the plugin Related Posts:
@anevins but it’s been posted since 2 weeks and a few days ago and there isn’t any news from author. while it’s obvious where the hacker exploited the plugin it should take this long to fix it. [Read more]
If you want to better understand what is amiss with the moderators of the WordPress Support Forum, which seems to go a long way to explain the inappropriate behavior that led to us starting to full disclose vulnerabilities in plugins and only notify the developer of the plugin about the disclosures through the forum until that is cleaned up, looking at their response to that protest seems instructive.
Back in December we got contacted by one of the moderators on Twitter and they started the conversation with: [Read more]