Support » Fixing WordPress » Plugin disappears from repo as vulnerability is revealed?

  • Hi,
    Is there any rules about triaging security vulnerabilities in plugins?

    I was a fan of Form Lightbox {DEAD LINK}, a simple plugin that let you embed a form in a lightbox.

    There’s a giant security hole in the plugin. I’ve had 4 sites exploited using it. A simple google search reveals a number of others that have been bitten.

    If WordPress.org pull the plugin , and the author fails to patch it, and make it available again, can someone else step up, take it over and issue a patch?

    Otherwise, those affected are left high and dry (until they find out how their sites are being pwned, by other means).

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    If WordPress.org pull the plugin, and the author fails to patch it, and make it available again, can someone else step up, take it over and issue a patch?

    If we pull the plugin for security reasons, then the author usually patches it. If it’s severe enough, we may patch it ourselves after an author does not respond. This is handled on a case by case basis.

    Moderator Justin Greer

    (@justingreerbbi)

    Forum Moderator

    Just wanted to add to the response from Otto. If things align correctly a person can take over a plugin.

    Please see

    Take Over an Existing Plugin

    Hi,

    Yes or maybe there is a security scan on your hosting which detect it ?
    [redacted]

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Plugin disappears from repo as vulnerability is revealed?’ is closed to new replies.