Elliot’s plugin was yanked. It’s not the end of the world. He can still post in forums. Don’t make a mountain out of that molehill. I do this to about 10 people a day on average, and most get their code access back within 5 days. It happens, we learn from it. The severity of the situation is what mandates how we handle this.
I’m still a bit confused on the “we couldn’t tell plugin authors” point. I’m genuinely curious how this is any different from the 4.1.2 security release, when a number of plugin authors were informed ahead of time and it was high-fives all around on the large coordinated effort to keep everyone’e sites secure and functional?
A few things were at play here.
1) It was a plugin author who brought the issue to the masses
2) It was a security issue both within core AND the plugins, so a coordinated fix had to be pushed. If we’d only patched the plugins and not core, there would still be issues. Had we only patched core and not the plugins, again, still issues.
3) The number of plugins and their users were much higher than the number of users being impacted today. Yes, it’s a numbers game.
4) The more people who know about a security hole, the more likely it is to be leaked.
If you want a better example, take into consideration the Genericon’s readme hack. Plugin authors were NOT told about it. The code was ripped from themes and plugins without notice. THEN they were told.
But this was a vulnerability that was only in core, that could only be secured in core, and that affected a much smaller number of people than you think. Yes, the people it impacts are hit hard, but it really is a very small amount. That doesn’t make it more or less horrible, it just sets the expectations differently.
We have to weigh the options. Break plugins or leave people open for a hack. Break 1% (max) of people using WordPress or leave 24% of the entire internet vulnerable. The needs of the many win out on this one.
