@pluginvulns.bsky.social
Provider of service to protect websites from being exploited due to vulnerable WordPress plugins. https://www.pluginvulnerabilities.com/
Plugin Vulnerabilities Customers Helped Make WordPress Plugins More Secure, Week of June 6
06.06.2025 22:01 โ ๐ 0 ๐ 0 ๐ฌ 0 ๐ 0
WordPress Firewall Plugin Claimed to Protect Against "Any Threat" Doesn't Stop Even One Simulated Attack From Firewall Testing Tool
03.06.2025 22:30 โ ๐ 0 ๐ 0 ๐ฌ 0 ๐ 0
Patchstack Now Withholding Misappropriated Information Needed to Secure Plugins in WordPress Plugin Directory From WordPress
30.05.2025 22:30 โ ๐ 0 ๐ 0 ๐ฌ 0 ๐ 0
Plugin Vulnerabilities Customers Helped Make WordPress Plugins More Secure, Week of May 30
30.05.2025 22:01 โ ๐ 0 ๐ 0 ๐ฌ 0 ๐ 0
Perhaps you could explain to your members that they shouldn't lie about the CRA as an excuse to withhold security vulnerability information from the open source WordPress project. Which is putting millions of websites at unnecessary risk of security issues.
30.05.2025 20:57 โ ๐ 0 ๐ 0 ๐ฌ 0 ๐ 0The WordPress Meta team holding up the community once again.
30.05.2025 20:28 โ ๐ 0 ๐ 0 ๐ฌ 0 ๐ 0
Also worth re-upping is that Five for the Future pledges are in general highly suspect.
It is one of the many things that are need of reform with WordPress.
With Automattic announcing a return to contributing to WordPress, it's worth noting that there hasn't been a change with the cited reasons they gave for reducing their contributions in January.
WP Engine's lawsuit is still on and they haven't boosted their contributions.
WP Engine Study Finds That Security Is Somehow Considered One of WordPress' Benefits and Also Disadvantages
28.05.2025 22:00 โ ๐ 0 ๐ 0 ๐ฌ 0 ๐ 0
The unfixed vulnerability that support forum discussion is about is something we posted was likely being targeted by a hacker last week.
27.05.2025 22:20 โ ๐ 0 ๐ 0 ๐ฌ 0 ๐ 0
Are you going to cover how Patchstack is refusing to provide WordPress with information needed to properly handle vulnerable plugins? This is leading to websites remaining vulnerable to easily fixed vulnerabilities.
27.05.2025 22:20 โ ๐ 0 ๐ 0 ๐ฌ 1 ๐ 0
Patchstack are claiming the EU Cyber Resilience Act (CRA) requires this.
It isn't the first time they have lied about that act.
The US Government through their funding of CVE is also supporting this.
27.05.2025 21:33 โ ๐ 0 ๐ 0 ๐ฌ 1 ๐ 0
Joost de Valk (@joost.blog) is funding what is basically a man-in-the-middle (MiTM) attack against WordPress.
27.05.2025 21:33 โ ๐ 0 ๐ 0 ๐ฌ 1 ๐ 0
Patchstack tries to get people to report plugin vulnerabilities to them instead of developers or WordPress. Now they are refusing to provide the information to WordPress.
27.05.2025 21:33 โ ๐ 0 ๐ 0 ๐ฌ 1 ๐ 0
We provided our customers with the details of the vulnerability last week.
27.05.2025 20:48 โ ๐ 0 ๐ 0 ๐ฌ 0 ๐ 0Would anyone guess that this changelog entry for a WordPress plugin with 2+ million installs was referring to fixing a vulnerability?:
"Improved context-dependent escaping in dynamic content tags."
"we always take security seriously" - WordPress plugin developer who still hasn't fixed an exploitable vulnerability two months after apparently being notified of it
27.05.2025 19:00 โ ๐ 0 ๐ 0 ๐ฌ 0 ๐ 0Is anyone keeping track of incident reports that haven't even received a response?
We still haven't received a response for one we filed in January of last year. It involved, among other things, returning a known vulnerable plugin to the plugin directory.
Patchstack claimed today that over 100,000 websites are affected, but as we noted last week, it is significantly less than that.
27.05.2025 17:24 โ ๐ 0 ๐ 0 ๐ฌ 0 ๐ 0
A WordPress plugin with 100,000 installs has an unfixed vulnerability being targeted by a hacker and Patchstack's response is to suggest you pay them $5 a month for a firewall rule they call a "patch".
WordPress could release a real patch for free. We would provide them with the patch for free.
In other areas the team are still failing pretty badly. A situation like this one this shouldn't happen. We have offered for years to provide fixes to stop this sort of thing from happening, and yet it keeps happening. 2/2
27.05.2025 17:12 โ ๐ 0 ๐ 0 ๐ฌ 0 ๐ 0
As we said in a comment we just left on the post, it is great that automated testing finally got implemented, as it has addressed a lot of issues that should have been caught for a long time.
But there still look to significant problems with the review process, like this. 1/2
WordPress Plugin Submission Review Seems to Have Failed Badly With ConvertPro
23.05.2025 22:31 โ ๐ 0 ๐ 0 ๐ฌ 0 ๐ 0
Plugin Vulnerabilities Customers Helped Make WordPress Plugins More Secure, Week of May 23
23.05.2025 22:00 โ ๐ 0 ๐ 0 ๐ฌ 0 ๐ 0
Long Overdue Security Review of WordPress Would Cost Only 0.25% of WP Engine's Estimate of Cost of One WordPress Website
23.05.2025 18:00 โ ๐ 0 ๐ 0 ๐ฌ 0 ๐ 0Mary Hubbard goes on to say "If we continue to center empathy, transparency, and the shared goal of making WordPress better for everyone, we wonโt just be stronger. Weโll be ready for whatever comes next."
When has WordPress centered transparency?
Mary Hubbard:
"Rotating roles can help us avoid centralizing too much authority in any one place, and it guards against the single points of failure that open source and communities should always aim to minimize."
Is rotating roles going to apply to her boss Matt Mullenweg?
WordPress Hasn't Addressed Hacker Targeted Plugin With 100,000+ Installs That Has Unfixed "Critical" Vulnerability
22.05.2025 20:00 โ ๐ 0 ๐ 0 ๐ฌ 0 ๐ 08 months after a vulnerability was reported to someone, it still hasn't been fixed.
It's unclear what happened here, but the developer claims that the vulnerability was reported to @patchstack.com instead of to them. They say Patchstack made a public claim after 6 months, but didn't notify them.
