Pluginvulnerabilities.com (White Fir Design LLC) is seriously undermining the security of the WordPress ecosystem.

Pluginvulnerabilities.com is a service of a company White Fir Design LLC located at Denver, Colorado. They claim to offer “Real WordPress Security”. On their website, they also state their service to be “the best protection against the threat”.

Services they promote:
- Warn you if you’re using a vulnerable plugin.
- Monitoring Plugin Directory for vulnerabilities.
- Help developers fix vulnerabilities inside the plugin code. (we’ll see if that’s true)

Unethical marketing efforts

Over the years, pluginvulnerabilities.com has tried to report the vulnerabilities directly to WordPress Support forum to get attention from plugin users and from plugin developers (most probably for promoting their own service).

Since publishing security details directly on the support forums is violating the rules of the forums itself (no doubt it’s not the most responsible thing to do), the moderators have been rightfully removing their posts.

WordPress has a method for handling plugin vulnerabilities inside the ecosystem and apparently everyone else is ok with it. Here’s a quote by Samuel Wood (Otto).

The process is simple: if you find a vulnerability, and you can’t contact the plugin author directly, then email plugins@wordpress.org, we email them for you, and work with the authors to get the plugin patched. No fuss about it, nobody else has a problem with it. It’s simple. —Samuel Wood (Otto)

Banned for a lifetime by WordPress

According to the WordPress.org moderators, instead of adapting with the rules which everyone else follows on the support forums, they decided to continue.

Seriously, this is a “security researcher” who is deliberately and maliciously using the spammer tactic of repeatedly creating fake accounts in order to try to bypass the moderation of our forums. They’re at over 100 fake accounts blocked already. — Samuel Wood (Otto)

The answer from the pluginvulnerabilities.com about the fake accounts is the following:

Blocking the accounts is a waste of time since we use the accounts once and then create a new account each time we do this, whether they are blocked or not (we wouldn’t even know if they were because we don’t keep the access information for the previous accounts), so you can save your time by not doing that. — Pluginvulnerabilities.com

Again, according to Samuel Wood (Otto), pluginvulnerabilities.com (White Fir LLC) has continually made inappropriate posts on the forums for over 2 years now. Instead of accepting the rules of WordPress.org support forums, they are continuously violating the rules, refusing to listen to the moderators and attempt to bypass the rules for 6+ months by creating literally hundreds of fake accounts.

You are banned from the forum, for life. — Samuel Wood (Otto)

Blackmailing WordPress support forums

Since pluginvulnerabilities.com is not agreeing to the rules of WordPress support forums and their fake accounts are being banned, they decided to start blackmailing WordPress.org.

They demand Wordpress.org to “clean up the moderation” or they will continue to undermine the security of the WordPress ecosystem by disclosing plugin security vulnerabilities to hackers without reaching out to developers first.

They blame our moderators for not letting them post security issues in the forums, because we have rules against doing that, so in order to somehow punish us, they post these exploits publicly and then create fake accounts on the forums to attempt to post them there too. — Samuel Wood (Otto)

Here’s how pluginvulnerabilities.com set an ultimatum:

We don’t know how to say this any simpler, we are only doing these full disclosures because you refuse to clean up the moderation of the support forum. For some reason you are confusing the cause and effect here, the full disclosure are in response to your actions. Once you clean that up your act, we can stop this. — Pluginvulnerabilities.com

Putting 70,000 websites at risk just to protest

On the 20th of March, pluginvulnerabilities.com posted to Twitter:

Through our proactive monitoring of changes being made to WordPress plugins we just confirmed a plugin with 70,000+ installs has a settings change vulnerability that permits persistent XSS. It looks like the kind of vulnerability that hackers would exploit. 1/
Due to the continued inappropriate behavior of the WP forum moderators we will be full disclosing that tomorrow morning unless @photomatt or someone else on the @WordPress team will finally agree to get the moderation of the forum cleaned up. 2/
Twitter

On the 21st of March, pluginvulnerabilities.com decided to disclose an XSS vulnerability in Social Warfare plugin which allowed crooks to remotely inject malicious javascript code to the website.

Instead of reporting developers about the vulnerability, so they could fix it before the disclosure (usually considered as responsible disclosure), pluginvulnerability.com intentionally posted the proof of concept on how to exploit the plugin and shared it on Twitter.

As far as we can tell, they made no attempt to contact us, and no attacks took place until they published their proof of concept. They single handedly handed the exploit to hackers. — Developer of the Social Warfare plugin

Pluginvulnerabilities.com replied to the developer with the following statement:

If the WordPress team would agree to cleaning up the moderation then these full disclosure could stop immediately, we hope this is the moment where they finally agree to that. — Pluginvulnerabilities.com

Many people and companies were directly affected by the pluginvulnerabilities.com’s irresponsible and unethical way of fully disclosing the vulnerability (and PoC) to hackers without reaching out to developers first.

Here’s what some victims said:

My wife and I run a small cottage industry. We lost a couple of hundred subscribers yesterday because of your wounded pride. That’s an economic hit I’m taking because of your actions. And this is supposed to increase my faith in your business? Please reconsider. — Reddit user

Continuing with the unresponsible disclosures

On the 26th of March, pluginvulnerabilities.com did another vulnerability disclosure with a proof of concept on their blog. Again, with the sole purpose to protest against the WordPress.org support forums to get their demands.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. — Pluginvulnerabilities.com

Pluginvulnerabilities.com make “WordPress ecosystem more secure for everyone”

While they claim on their website to offer “Real WordPress Security” and to make the “WordPress ecosystem more secure for everyone”, they seem to have been blinded by their own pride.

On their blog and on Twitter, they actively criticize other security vendors in the WordPress ecosystem (examples: 1, 2, 3, 4, 5), without seeing any fault in their own activities.

If you ever decide to use their “Plugin Security Checker” service, keep in mind that they might use their findings for protest against WordPress.org.

The results of this scan might be logged and publicly disclosed. — Pluginvulnerabilities.com

UPDATE (April 15th): Over the past weeks, they have continuously released 0days affecting now more than 160,000 websites. Source