The WordPress plugin zero-day exploits continue. The same individual that published the Social Warfare vulnerability continues to release proof-of-concept code for exploiting unpatched vulnerabilities in other WordPress plugins.
Warfare Plugins also published details about the Social Warfare plugin security hole, the timeline of the issue, and the steps they took to fix it. I’m glad to see a full accounting of the problem. This definitely restores some confidence in the company and the software.
The Warfare Plugins post links to details of the individual’s efforts to expose security holes in WordPress plugins. The brief take-away is that there is someone with a vendetta against the WordPress.org forum moderators, and they are using that as an excuse to release proof-of-concept exploit code.
Unfortunately, this is only to the detriment of site owners such as small businesses, individuals, and other companies. The individual claims to be protecting the WordPress community. But their actions have the immediate effect of making WordPress users less secure. This all seems to be an effort to promote their own services.
I hope this prompts more plugin authors to proactively audit their code instead of waiting for a vulnerability to be exploited. These types of vulnerabilities are a problem and can be a result of lax coding practices. But releasing proof-of-concept code into the wild is not helping anybody.