[wp-hackers] Evaluating impact from yesterday's Trojan'd plugins?

Claude Needham gxxaxx at gmail.com
Wed Jun 22 14:12:35 UTC 2011

On Wed, Jun 22, 2011 at 6:27 AM, Alexander Concha <alex at buayacorp.com> wrote:
> I do not know any specific list related to WordPress security.
> Sometimes, there are reports in the Full Disclosure list
> (http://seclists.org/fulldisclosure/).

Thanks for the link to seclists.org fulldisclosure
Quite an onslaught of sec info.

As I understand the situation here:

wp.org is hosting some plugins.
Three (or more?) plugins were updated with trojans
wp.org (and friends) discover these trojans
wp.org takes steps to remove the trojans.
wp.org pushes an update.
wp.org takes steps to prevent or mitigate such future events.

All of this is quite laudable. Good job.
The one step that seems to be missing is
wp.org sends message to interested listeners letting them know what is

Based on the excellent performance in each of the other steps, I
figure there must be a twitter, facebook, email list, blog, something
where this information would have been communicated.

Thanks to Doug, I found out about it here. But, it would be good to
have a little more of an ear to the ground on such issues. Hence, the
hunt for where to put my ear.


More information about the wp-hackers mailing list