Login

Tag Archives: WordPress Support Forum

20 Mar 2019

WordPress Support Forum Moderator Jan Dembowski Falsely Claims That No One Figures Out What Versions of Plugins Are Vulnerable

When it comes to the mess that is the moderation of the WordPress Support Forum that has led to us full disclosing vulnerabilities until it is cleaned up,  one of the most problematic moderators is someone named Jan Dembowski who we frequently run across getting things incredibly wrong (in some cases taking different sides on issue in different instances and each time managing to be on the wrong side). So it wasn’t surprising to see them getting something wrong when it comes to someone looking for help related to the vulnerability in Easy WP SMTP that has been widely exploited. The person looking for help wrote this:

Hi, [Read more]

13 Dec 2018

The Strange Behavior of Moderators of the WordPress Support Continues With Response to Our Protest

When it comes to the inappropriate behavior on the part of the moderators of the WordPress Support Forum that lead to us full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up one thing that stands out is how strange so much of it is. If the moderators were, say, being paid off to delete reviews of plugins you could understand the motive behind it, but with what is going on so much is head scratching. Why would a moderator delete a reply just saying thank you, which is something that we have run across moderators recently as well as years ago. So it probably isn’t surprising that the first direct response from someone on the WordPress side of things to our protest doesn’t even really make sense.

That comes from one of the problematic moderators and starts with this: [Read more]

7 Dec 2018

WordPress Support Forum Moderator Thinks Hiding Security Issues is a Bad and Good Idea at the Same Time

When it comes to the mess that is the moderation of the WordPress Support Forum a central problem is the moderators seem to be unwilling to allow people to discuss things that disagree with their beliefs. So for example last week we mentioned how at first replies were deleted and then a whole topic closed when people put forward the idea that people shouldn’t be left in the dark about closed plugins. The moderator that seems to be at the heart of that was the frequently problematic, Jan Dembowski, who doesn’t believe that even asking about closed plugins is a valid support question (which we still don’t understand).

That same moderator popped up in the email alerts we have for the forum to monitor for discussions about security issues a couple of times in the last week where they seemed to highlight that these moderators are not thinking through what they are saying and doing, which is a big problem when they stop discussions that could help to avoid the unnecessary hacks of WordPress websites due to the poorly thought out actions of the WordPress Plugin Directory team (like occurred recently with plugins WP GDPR compliance and AMP for WP). [Read more]

5 Nov 2018

More of WordPress Support Forum Moderator Jan Dembowski’s Bizarre Handling of People Trying to Deal With Closed Plugins

In protest of the continued inappropriate behavior by the moderators of the WordPress Support Forum just over a month ago we started full disclosing vulnerabilities until the moderation is cleaned up, so far it hasn’t caused them to change their behavior (apparently continuing to act inappropriately is the only thing they seem to care about considering they haven’t even bothered to notify the developers of those vulnerabilities). In the meantime we have continued to run into more examples of them bizarrely getting in the way of the WordPress community.

With one of the moderators we have had run-ins with them acting bizarrely, named Jan Dembowski, we haven’t been alone. [Read more]

5 Nov 2018

The WordPress Forum Moderators Keep Bizarrely Deleting Replies Just Saying Thank You

Where we first saw indications that something was very amiss with the moderation of the WordPress Support Forum was when a reply from someone just thanking us for answering a question they had, was deleted. It didn’t make any sense to delete that and went against what people were being told as to the limited circumstances that things would be deleted from the forum:

When a post is made and people contribute answers to an issue, that then becomes part of the community resource for others to benefit from. Deleting posts removes this added value. Forum topics will only be edited or deleted if they represent a valid legal, security, or safety concern. [Read more]

17 Oct 2018

Making Sense of WordPress’ Inability To Be Consistent When it Comes To Warning About Insecure Plugins

Last week we discussed the hiding of pertinent information when WordPress plugins are closed on the Plugin Directory for “security issues” in relation to a plugin named Testimonial Slider. Since that post the support topic that first drew us to that has gotten a response from one of the six member of the team running the Plugin Directory (that person it turns out is also in control of the moderation of the Support Forum):

Does it matter? It is insecure, and not being updated any longer. [Read more]

16 Oct 2018

It Is Bizarre That a WordPress Support Forum Moderator Thinks It is Inappropriate to Discuss Supposedly Valid Actions

When it comes to the inappropriate behavior by the moderators of WordPress Support Forum that has led to us doing full disclosures of WordPress plugin vulnerabilities until that gets cleaned up, it is amazing how much of it is just downright bizarre.

After the plugin Verify Google Webmaster Tools was closed on the Plugin Directory someone started a topic with a perfectly valid support question: [Read more]

10 Oct 2018

WordPress Hides Accurate Information on the Security of WordPress Plugins, While Highlighting Inaccurate Information

Part of the mess we have seen when it comes to what can and can’t be mentioned about the security of WordPress plugins on the WordPress Support Forum is that accurate information about the security of plugins is often removed, while inaccurate information is often left up. That creates a situation where there is an incorrect belief that insecure plugins are secure and that insecure plugins are secure.

As example of that, a couple years back we had responded to a topic on the Support Forum where a couple of people were wondering if what looked like probing for usage of the plugin JQuery Html5 File Upload was related to a vulnerability being exploited. We had responded that the likely cause of that was a false report of a vulnerability of a type of that was likely to be exploited, which had been released the week before. The original poster had thanked us for that information and the marked the topic resolved. Three months later our reply and the one just thanking us were deleted, with no reason given, which seems very odd. [Read more]

5 Oct 2018

Our Effort to Get the WordPress Support Forum Moderation Cleaned Up is Not Actually an Attempt to Promote Our Blog or Plugin

As we mentioned earlier this week, WordPress keeps making things worse when it comes to security, as they decided to compound other problems by removing our plugins from the Plugin Directory. Which means, for example, that people can’t get warned about unfixed vulnerable plugins that are being exploited as WordPress refuses to fix or warn people about those very vulnerabilities (which makes sense to them and as far as we can tell no one else). Why do this? Well it might be because they really can’t even grasp that people actually don’t agree with what they are doing in the forum (which isn’t just restricted to how they handle security related topics) and they have to create an alternate explanation that makes them feel better (we have seen that kind of behavior from them going back years, which we should probably discuss in a separate post). We say that based on this claim from the developer of one of the plugins we disclosed a vulnerability in, from the day after the plugins were removed:

Basically, we weren’t escaping/sanitizing some attributes and random security audit person trying to promote their blog and plugin decided to submit a report as they should. This led to the WordPress admins immediately taking the plugin down temporarily in case it was being exploited. They then notified us of this happening. This has made us thoroughly audit EVERY line of code in our plugin. [Read more]

2 Oct 2018

WordPress Makes It Even Harder To Be Protected Against Vulnerabilities in WordPress Plugins

In dealing with issues surrounding vulnerabilities in WordPress plugins for too many years what we have come to find is that the people on the WordPress side of things seem to be less interested in actually protecting against them and more interested in covering up the problems, leaving to websites unnecessarily being hacked.

This appears, whether intentional or not, to start at the top. Here was Matt Mullenweg wrote in February of last year on what are the “biggest issues” when it comes to WordPress security: [Read more]