[wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Jacob Snyder jacobsnyder at gmail.com
Fri Mar 28 16:51:44 UTC 2014


I disagree with the sentiment that discussing vulnerable plugins is a bad
topic for this list (am I wrong?). I do want the info, and I would opt in
to Harry's list, but I don't see why I have to. This backlash from a few
people seems a little strong...


On Fri, Mar 28, 2014 at 11:38 AM,
<wp-hackers-request at lists.automattic.com>wrote:

> Send wp-hackers mailing list submissions to
>         wp-hackers at lists.automattic.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.automattic.com/mailman/listinfo/wp-hackers
> or, via email, send a message with subject or body 'help' to
>         wp-hackers-request at lists.automattic.com
>
> You can reach the person managing the list at
>         wp-hackers-owner at lists.automattic.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of wp-hackers digest..."
>
>
> Today's Topics:
>
>    1. Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress
>       plugin) (Harry Metcalfe)
>    2. Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress
>       plugin) (Harry Metcalfe)
>    3. Re: CSRF vulnerability in WP HTML Sitemap 1.2     (WordPress
>       plugin) (Nikola Nikolov)
>    4. Re: CSRF vulnerability in WP HTML Sitemap 1.2     (WordPress
>       plugin) (Scott Herbert (via Phone))
>    5. Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress
>       plugin) (Harry Metcalfe)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 28 Mar 2014 16:34:03 +0000
> From: Harry Metcalfe <harry at dxw.com>
> To: wp-hackers at lists.automattic.com
> Subject: Re: [wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2
>         (WordPress plugin)
> Message-ID: <5335A47B.5030004 at dxw.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> > There must be hundreds or thousands of plugin with security issues. I
> > don't think everybody will be interested to know vulnerabilities in
> > them.
> I'm honestly not sure how to respond to that. I don't think I know
> anyone who doesn't care about having an exploitable website. I agree
> that there are hundreds of vulnerable plugins. That's what we're trying
> to help fix, because it's unacceptable!
>
> > I guess most of the user of the plugin are not going to read this.
> We'll do the best we can to make sure everyone who is interested will
> find out. We currently:
>
>   * Publish to our website
>   * Tweet from @dxwsecurity
>   * Post to wp-hackers and Full Disclosure
>   * Request a CVE
>
> If you have any ideas about how we can spread the word more, I'm all ears.
>
> Harry
>
>
> On 28/03/2014 16:06, Varun Agrawal wrote:
> > Hi Harry,
> >
> >> It was my assumption that this list would be interested to know about
> vulnerable plugins.
> > There must be hundreds or thousands of plugin with security issues. I
> > don't think everybody will be interested to know vulnerabilities in
> > them.
> >
> >
> >> we are disclosing the vulnerability in order that anyone using this
> plugin can take steps to protect themselves.
> > I guess most of the user of the plugin are not going to read this.
> >
> >
> > -Varun
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> --
> Harry Metcalfe
> 07790 559 876
> @harrym
>
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 28 Mar 2014 16:36:57 +0000
> From: Harry Metcalfe <harry at dxw.com>
> To: wp-hackers at lists.automattic.com
> Subject: Re: [wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2
>         (WordPress plugin)
> Message-ID: <5335A529.1060209 at dxw.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> If reports are acknowledged, and plugin authors keep us in the loop,
> we've so far always published on the same day as an update is released,
> with advice to update to the new version as soon as possible. I think
> the only circumstances under which we might publish sooner than that
> would be for a very serious vulnerability that the plugin author was not
> taking seriously.
>
> Harry
>
>
>
> On 28/03/2014 16:31, Nikola Nikolov wrote:
> > @Chris - they are actually giving plugin authors 14 days to acknowledge
> the
> > report - which I assume means to just send an email along the lines of
> > "Okay, I'll take care of that ASAP". And again - 14 days is not a long
> time
> > - sometimes I'd away(and without internet access) for more than that.
> >
> > I do agree that posting a proof of concept is not a good idea so soon.
> For
> > instance Wordfence sends out emails to their subscribers when plugin
> > vulnerabilities have been found(and usually when their users have
> suffered
> > from those vulnerabilities) and suggest what action users should take.
> For
> > instance "Plugin author has responded and patch is available in the next
> > release, available now", or "disable and delete plugin until a patch is
> > released or "contact plugin author".
> >
> >
> > On Fri, Mar 28, 2014 at 6:20 PM, Chris Christoff <hello at chriscct7.com
> >wrote:
> >
> >> -- Please reply above this line --
> >>
> >> -----------------------------------------------------------
> >> ## Chris replied, on Mar 28 @ 12:20pm (AMT):
> >>
> >> I also disagree with how the issues are being disclosed.
> >>   First off 14 days really isn't a long enough time. Imagine this
> >> scenario:
> >>   Day 1: Friday: Reported to WP Security team
> >>   Day 1: Security team sends email to plugin author
> >>   Day 4: Monday: Plugin author begins reading his emails about his
> >> plugins that came in over the weekend and notices security email.
> >>   Day 7: Thursday: Assuming the bug is easy to fix, an update is patch
> >> is submitted as an update to WordPress.org
> >>   Day 8: Update notifications begin to appear in WordPress backend,
> >> given its now Friday, most users (if they even log into their site on
> >> Fridays, will put off updating it till Monday mostly so they can read
> >> through the changelog.
> >>   Day 11: Users read through changelog and *hopefully* begin updating.
> >>
> >>   The problem is, this made 2 assumptions. First, you assume all
> >> security vulnerabilities are both easy to fix, and the plugin can be
> >> re-audited quickly. While most are likely easy to fix (ala the ones
> >> reported thus far), most authors would also want to re-audit their
> >> plugins codebase, and for anything over 100k LOC that's going to take
> >> a lot of time. Second, you've only given users 3 days to update in
> >> this scenario. Some users will not update the first week after an
> >> update has been patched. Some not even the first 2 weeks. Maybe they
> >> are enterprise or large business sites where they have to get approval
> >> and independent testing must be done prior to accepting the patch.
> >> Maybe, they are scared of updates for whatever reason and they want to
> >> read reports the update hasn't broken someone's site first.
> >>
> >>   In any event, the "14 days" should be upped to the industry standard
> >> 30 days. Currently, in a good case scenario (like the one above)
> >> you've given users 3 days to update before you reveal a direct proof
> >> of concept of how to exploit the vulnerability.
> >>
> >>   Even after 30 days, publishing a complete example of how to use the
> >> vulnerability is still not all too responsible. I would move to a
> >> system where you say what you can do to mitigate the issue after 30,
> >> and then hold off on proof of concept for 60-90 days post report.
> >>
> >>   Finally, I'd have to agree with the others. Posting vulnerability
> >> reports here isn't going to alert the majority of the affected users,
> >> and it has that spammy feel (even though its not spam).
> >> --
> >> Chris Christoff
> >> hello at chriscct7.com
> >> http://www.chriscct7.com [1]
> >> @chriscct7
> >> If you feel the need to donate, as a college student, I appreciate
> >> donations of any amount. The easiest way to donate to my college fund
> >> is via the donation button at the bottom of my
> >> homepage: http://chriscct7.com/ [2]
> >>
> >> Links:
> >> ------
> >> [1] http://www.chriscct7.com
> >> [2] http://chriscct7.com/
> >>
> >>
> >> -----------------------------------------------------------
> >> ## wp-hackers at lists.automattic.com replied, on Mar 28 @ 12:06pm (AMT):
> >>
> >> Hi Harry,
> >>
> >>   >It was my assumption that this list would be interested to know
> >> about vulnerable plugins.
> >>
> >>   There must be hundreds or thousands of plugin with security issues. I
> >>   don't think everybody will be interested to know vulnerabilities in
> >>   them.
> >>
> >>   >we are disclosing the vulnerability in order that anyone using
> >> this plugin can take steps to protect themselves.
> >>
> >>   I guess most of the user of the plugin are not going to read this.
> >>
> >>   -Varun
> >>   _______________________________________________
> >>   wp-hackers mailing list
> >>   wp-hackers at lists.automattic.com
> >>   http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >> -----------------------------------------------------------
> >> ## wp-hackers at lists.automattic.com replied, on Mar 28 @ 11:52am (AMT):
> >>
> >> Hi Chris,
> >>
> >>   We're aware of that, but not sure what alternative there is if the
> >>   people who write plugins don't contact us when we report issues to
> >> them.
> >>   We try to give people enough time to fix things, but if it doesn't
> >> look
> >>   like they're going to, we believe it is the responsible thing to do
> >> to
> >>   publish vulnerabilities so that people affected by them can take
> >> steps
> >>   to protect themselves.
> >>
> >>   Our disclosure policy is here
> >> <https://security.dxw.com/disclosure/>,
> >>   and we always draw people's attention to it (see below). All that
> >> said,
> >>   it is a difficult area and I'm certainly open to suggestions about
> >> how
> >>   to do it better.
> >>
> >>   Harry
> >>
> >> -----------------------------------------------------------
> >> ## wp-hackers at lists.automattic.com replied, on Mar 28 @ 11:29am (AMT):
> >>
> >> I think Daniel was refering to posting to a public list, some
> >> malicious
> >>   people could take advantage of this, and cause some havoc.
> >>
> >>   _______________________________________________
> >>   wp-hackers mailing list
> >>   wp-hackers at lists.automattic.com
> >>   http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >> -----------------------------------------------------------
> >> ## wp-hackers at lists.automattic.com replied, on Mar 28 @ 10:46am (AMT):
> >>
> >> Hi Daniel,
> >>
> >>   This vulnerability was reported to plugins at wordpress.org on 2nd
> >>   February. The author has not responded, so we are disclosing the
> >>   vulnerability in order that anyone using this plugin can take steps
> >> to
> >>   protect themselves.
> >>
> >>   This is certainly not an advertisement.
> >>
> >>   Administrivia: It was my assumption that this list would be
> >> interested
> >>   to know about vulnerable plugins. If anyone has strong feelings for
> >> or
> >>   against that assumption, please let me know off-list. If there is a
> >>   consensus we will honour it.
> >>
> >>   Cheers,
> >>
> >>   Harry
> >>
> >> -----------------------------------------------------------
> >> ## wp-hackers at lists.automattic.com replied, on Mar 28 @ 10:41am (AMT):
> >>
> >> Hi Harry,
> >>
> >>   Please refrain from advertising on this list. Plugin security issues
> >> should
> >>   be reported to plugins at wordpress.org
> >>
> >>   Thanks.
> >>
> >>   _______________________________________________
> >>   wp-hackers mailing list
> >>   wp-hackers at lists.automattic.com
> >>   http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >> -----------------------------------------------------------
> >>
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> --
> Harry Metcalfe
> 07790 559 876
> @harrym
>
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 28 Mar 2014 18:37:16 +0200
> From: Nikola Nikolov <nikolov.tmw at gmail.com>
> To: wp-hackers at lists.automattic.com
> Subject: Re: [wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2
>         (WordPress plugin)
> Message-ID:
>         <CAOwx47eeAh6Es3zKB7Mjvvz3kN6WpWpKtqE=+
> TyqS_rkWwA1Gw at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> I'd suggest creating a mailing list - this way people can actually opt-in
> to those emails(so people here that don't want to receive that kind of
> information will not and those who want can sign-up for it).
>
>
> On Fri, Mar 28, 2014 at 6:34 PM, Harry Metcalfe <harry at dxw.com> wrote:
>
> > There must be hundreds or thousands of plugin with security issues. I
> >> don't think everybody will be interested to know vulnerabilities in
> >> them.
> >>
> > I'm honestly not sure how to respond to that. I don't think I know anyone
> > who doesn't care about having an exploitable website. I agree that there
> > are hundreds of vulnerable plugins. That's what we're trying to help fix,
> > because it's unacceptable!
> >
> >
> >  I guess most of the user of the plugin are not going to read this.
> >>
> > We'll do the best we can to make sure everyone who is interested will
> find
> > out. We currently:
> >
> >  * Publish to our website
> >  * Tweet from @dxwsecurity
> >  * Post to wp-hackers and Full Disclosure
> >  * Request a CVE
> >
> > If you have any ideas about how we can spread the word more, I'm all
> ears.
> >
> > Harry
> >
> >
> >
> > On 28/03/2014 16:06, Varun Agrawal wrote:
> >
> >> Hi Harry,
> >>
> >>  It was my assumption that this list would be interested to know about
> >>> vulnerable plugins.
> >>>
> >> There must be hundreds or thousands of plugin with security issues. I
> >> don't think everybody will be interested to know vulnerabilities in
> >> them.
> >>
> >>
> >>  we are disclosing the vulnerability in order that anyone using this
> >>> plugin can take steps to protect themselves.
> >>>
> >> I guess most of the user of the plugin are not going to read this.
> >>
> >>
> >> -Varun
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >
> > --
> > Harry Metcalfe
> > 07790 559 876
> > @harrym
> >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 28 Mar 2014 16:37:37 +0000
> From: "Scott Herbert (via Phone)" <scott.a.herbert at googlemail.com>
> To: wp-hackers at lists.automattic.com
> Subject: Re: [wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2
>         (WordPress plugin)
> Message-ID: <9dad3ca7-3ef8-4504-acf6-4f8431e69a9e at email.android.com>
> Content-Type: text/plain; charset=UTF-8
>
> Just by way of comparison Google give you 7 days, I think 14 days is fine.
> I tend to give companies 30days to have the patch out, unless they give me
> a good reason to delay.
>
>
>
> On 28 March 2014 16:30:50 GMT+00:00, Harry Metcalfe <harry at dxw.com> wrote:
> >Hi Chris,
> >
> >The 14 days is just to acknowledge the report, not to release a fix.
> >The
> >policy does not prescribe a time for fixes for exactly the reasons
> >you've outlined. We'll always work with people to agree a reasonable
> >time for fixing and publication, unless they don't reply to us. In
> >which
> >case, we can't do much other than publish. We also generally do wait
> >longer than 14 days, as you can see from these reports.
> >> Posting vulnerability reports here isn't going to alert the majority
> >of the affected users, and it has that spammy feel (even though its not
> >spam).
> >I'll add you to the list! So far, we're 1 for and 1 against.
> >
> >Harry
> >
> >
> >On 28/03/2014 16:20, Chris Christoff wrote:
> >> -- Please reply above this line --
> >>
> >> -----------------------------------------------------------
> >> ## Chris replied, on Mar 28 @ 12:20pm (AMT):
> >>
> >> I also disagree with how the issues are being disclosed.
> >>   First off 14 days really isn't a long enough time. Imagine this
> >> scenario:
> >>   Day 1: Friday: Reported to WP Security team
> >>   Day 1: Security team sends email to plugin author
> >>   Day 4: Monday: Plugin author begins reading his emails about his
> >> plugins that came in over the weekend and notices security email.
> >>   Day 7: Thursday: Assuming the bug is easy to fix, an update is
> >patch
> >> is submitted as an update to WordPress.org
> >>   Day 8: Update notifications begin to appear in WordPress backend,
> >> given its now Friday, most users (if they even log into their site on
> >> Fridays, will put off updating it till Monday mostly so they can read
> >> through the changelog.
> >>   Day 11: Users read through changelog and *hopefully* begin
> >updating.
> >>
> >>   The problem is, this made 2 assumptions. First, you assume all
> >> security vulnerabilities are both easy to fix, and the plugin can be
> >> re-audited quickly. While most are likely easy to fix (ala the ones
> >> reported thus far), most authors would also want to re-audit their
> >> plugins codebase, and for anything over 100k LOC that's going to take
> >> a lot of time. Second, you've only given users 3 days to update in
> >> this scenario. Some users will not update the first week after an
> >> update has been patched. Some not even the first 2 weeks. Maybe they
> >> are enterprise or large business sites where they have to get
> >approval
> >> and independent testing must be done prior to accepting the patch.
> >> Maybe, they are scared of updates for whatever reason and they want
> >to
> >> read reports the update hasn't broken someone's site first.
> >>
> >>   In any event, the "14 days" should be upped to the industry
> >standard
> >> 30 days. Currently, in a good case scenario (like the one above)
> >> you've given users 3 days to update before you reveal a direct proof
> >> of concept of how to exploit the vulnerability.
> >>
> >>   Even after 30 days, publishing a complete example of how to use the
> >> vulnerability is still not all too responsible. I would move to a
> >> system where you say what you can do to mitigate the issue after 30,
> >> and then hold off on proof of concept for 60-90 days post report.
> >>
> >>   Finally, I'd have to agree with the others. Posting vulnerability
> >> reports here isn't going to alert the majority of the affected users,
> >> and it has that spammy feel (even though its not spam).
> >> --
> >> Chris Christoff
> >> hello at chriscct7.com
> >> http://www.chriscct7.com [1]
> >> @chriscct7
> >> If you feel the need to donate, as a college student, I appreciate
> >> donations of any amount. The easiest way to donate to my college fund
> >> is via the donation button at the bottom of my
> >> homepage: http://chriscct7.com/ [2]
> >>
> >> Links:
> >> ------
> >> [1] http://www.chriscct7.com
> >> [2] http://chriscct7.com/
> >>
> >>
> >> -----------------------------------------------------------
> >> ## wp-hackers at lists.automattic.com replied, on Mar 28 @ 12:06pm
> >(AMT):
> >>
> >> Hi Harry,
> >>
> >>   >It was my assumption that this list would be interested to know
> >> about vulnerable plugins.
> >>
> >>   There must be hundreds or thousands of plugin with security issues.
> >I
> >>   don't think everybody will be interested to know vulnerabilities in
> >>   them.
> >>
> >>   >we are disclosing the vulnerability in order that anyone using
> >> this plugin can take steps to protect themselves.
> >>
> >>   I guess most of the user of the plugin are not going to read this.
> >>
> >>   -Varun
> >>   _______________________________________________
> >>   wp-hackers mailing list
> >>   wp-hackers at lists.automattic.com
> >>   http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >> -----------------------------------------------------------
> >> ## wp-hackers at lists.automattic.com replied, on Mar 28 @ 11:52am
> >(AMT):
> >>
> >> Hi Chris,
> >>
> >>   We're aware of that, but not sure what alternative there is if the
> >>   people who write plugins don't contact us when we report issues to
> >> them.
> >>   We try to give people enough time to fix things, but if it doesn't
> >> look
> >>   like they're going to, we believe it is the responsible thing to do
> >> to
> >>   publish vulnerabilities so that people affected by them can take
> >> steps
> >>   to protect themselves.
> >>
> >>   Our disclosure policy is here
> >> <https://security.dxw.com/disclosure/>,
> >>   and we always draw people's attention to it (see below). All that
> >> said,
> >>   it is a difficult area and I'm certainly open to suggestions about
> >> how
> >>   to do it better.
> >>
> >>   Harry
> >>
> >> -----------------------------------------------------------
> >> ## wp-hackers at lists.automattic.com replied, on Mar 28 @ 11:29am
> >(AMT):
> >>
> >> I think Daniel was refering to posting to a public list, some
> >> malicious
> >>   people could take advantage of this, and cause some havoc.
> >>
> >>   _______________________________________________
> >>   wp-hackers mailing list
> >>   wp-hackers at lists.automattic.com
> >>   http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >> -----------------------------------------------------------
> >> ## wp-hackers at lists.automattic.com replied, on Mar 28 @ 10:46am
> >(AMT):
> >>
> >> Hi Daniel,
> >>
> >>   This vulnerability was reported to plugins at wordpress.org on 2nd
> >>   February. The author has not responded, so we are disclosing the
> >>   vulnerability in order that anyone using this plugin can take steps
> >> to
> >>   protect themselves.
> >>
> >>   This is certainly not an advertisement.
> >>
> >>   Administrivia: It was my assumption that this list would be
> >> interested
> >>   to know about vulnerable plugins. If anyone has strong feelings for
> >> or
> >>   against that assumption, please let me know off-list. If there is a
> >>   consensus we will honour it.
> >>
> >>   Cheers,
> >>
> >>   Harry
> >>
> >> -----------------------------------------------------------
> >> ## wp-hackers at lists.automattic.com replied, on Mar 28 @ 10:41am
> >(AMT):
> >>
> >> Hi Harry,
> >>
> >>   Please refrain from advertising on this list. Plugin security
> >issues
> >> should
> >>   be reported to plugins at wordpress.org
> >>
> >>   Thanks.
> >>
> >>   _______________________________________________
> >>   wp-hackers mailing list
> >>   wp-hackers at lists.automattic.com
> >>   http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >> -----------------------------------------------------------
> >>
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> >--
> >Harry Metcalfe
> >07790 559 876
> >@harrym
> >
> >_______________________________________________
> >wp-hackers mailing list
> >wp-hackers at lists.automattic.com
> >http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
> ------------------------------
>
> Message: 5
> Date: Fri, 28 Mar 2014 16:38:26 +0000
> From: Harry Metcalfe <harry at dxw.com>
> To: wp-hackers at lists.automattic.com
> Subject: Re: [wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2
>         (WordPress plugin)
> Message-ID: <5335A582.3090307 at dxw.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Anyone else agree? Who'd join such a list?
>
> I'll keep a tally on that too.
>
> Though I am a bit surprised at the respondents here who *don't* want to
> know about vulnerable plugins they may be running...
>
> Harry
>
>
> On 28/03/2014 16:37, Nikola Nikolov wrote:
> > I'd suggest creating a mailing list - this way people can actually opt-in
> > to those emails(so people here that don't want to receive that kind of
> > information will not and those who want can sign-up for it).
> >
> >
> > On Fri, Mar 28, 2014 at 6:34 PM, Harry Metcalfe <harry at dxw.com> wrote:
> >
> >> There must be hundreds or thousands of plugin with security issues. I
> >>> don't think everybody will be interested to know vulnerabilities in
> >>> them.
> >>>
> >> I'm honestly not sure how to respond to that. I don't think I know
> anyone
> >> who doesn't care about having an exploitable website. I agree that there
> >> are hundreds of vulnerable plugins. That's what we're trying to help
> fix,
> >> because it's unacceptable!
> >>
> >>
> >>   I guess most of the user of the plugin are not going to read this.
> >> We'll do the best we can to make sure everyone who is interested will
> find
> >> out. We currently:
> >>
> >>   * Publish to our website
> >>   * Tweet from @dxwsecurity
> >>   * Post to wp-hackers and Full Disclosure
> >>   * Request a CVE
> >>
> >> If you have any ideas about how we can spread the word more, I'm all
> ears.
> >>
> >> Harry
> >>
> >>
> >>
> >> On 28/03/2014 16:06, Varun Agrawal wrote:
> >>
> >>> Hi Harry,
> >>>
> >>>   It was my assumption that this list would be interested to know about
> >>>> vulnerable plugins.
> >>>>
> >>> There must be hundreds or thousands of plugin with security issues. I
> >>> don't think everybody will be interested to know vulnerabilities in
> >>> them.
> >>>
> >>>
> >>>   we are disclosing the vulnerability in order that anyone using this
> >>>> plugin can take steps to protect themselves.
> >>>>
> >>> I guess most of the user of the plugin are not going to read this.
> >>>
> >>>
> >>> -Varun
> >>> _______________________________________________
> >>> wp-hackers mailing list
> >>> wp-hackers at lists.automattic.com
> >>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>>
> >> --
> >> Harry Metcalfe
> >> 07790 559 876
> >> @harrym
> >>
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> --
> Harry Metcalfe
> 07790 559 876
> @harrym
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>
> ------------------------------
>
> End of wp-hackers Digest, Vol 110, Issue 45
> *******************************************
>


More information about the wp-hackers mailing list