Is Full disclosure okay with WordPress plugins I.E publishing injections (2 posts)

  1. planetzuda
    Posted 3 years ago #

    My company does security research on third party WordPress plugins among many, many other things. We penetrate third party WordPress plugins all the time on our localhost. The programmers sometimes release a patch, other times they never fix the problem. If a patch is released I publish an article telling people to upgrade. Since my company wants to respect WordPress and everyone who uses it's platform, I am unsure if we should publish articles about plugins that developers tell me they have abandoned and others who don't patch security holes. Is there another way to deal with the issue? If my company found security holes in Jetpack or a theme by WordPress then I would contact WordPress security, but I am at a loss with negligent 3rd party developers. Any advice is appreciated.

  2. Since my company wants to respect WordPress and everyone who uses it's platform

    It's an old (abused, maligned, beaten into the ground...) topic called "how do I report security issues responsibly without doing a ton of damage for no reason except to be able to say 'FIRST!' and still be responsible?" ;)

    I suggest you give this a read.


    For 3rd party software or any software that is hosted on WordPress.ORG's repository here please follow this link for reporting issues like that.


    It has happened in the past that code has been here and the appropriate thing to do was to remove that plugin (or theme) from being downloaded here. Sometimes no one can get ahold of the developer and it's a risk to permit people to continue to download that plugin or theme.

    You have to be responsible and WordPress.ORG takes security exploits in code hosted here very seriously. If you or anyone have a proof of concept for some code here then please report it via the link above.

Topic Closed

This topic has been closed to new replies.

About this Topic