Ars Technica is running an article [arstechnica.com] about a "Self-proclaimed security provider" who has released exploits for three separate Zero day [wikipedia.org] vulnerabilities within plugins used in the WordPress [wikipedia.org] (an open-source content management system) software ecosystem.
According to the Ars Technica article [arstechnica.com]:
Over the past three weeks, a trio of critical zeroday vulnerabilities in WordPress plugins has exposed 160,000 websites to attacks that allow criminal hackers to redirect unwitting visitors to malicious destinations. A self-proclaimed security provider who publicly disclosed the flaws before patches were available played a key role in the debacle, although delays by plugin developers and site administrators in publishing and installing patches have also contributed.
Over the past week, zeroday vulnerabilities in both the Yuzo Related Posts [wordpress.org] and Yellow Pencil Visual Theme Customizer [wordpress.org] WordPress plugins—used by 60,000 and 30,000 websites respectively—have come under attack. Both plugins were removed from the WordPress plugin repository [wordpress.org] around the time the zeroday posts were published, leaving websites little choice than to remove the plugins. On Friday (three days after the vulnerability was disclosed), Yellow Pencil issued a patch [waspthemes.com]. At the time this post was being reported, Yuzo Related Posts remained closed with no patch available.
In-the-wild exploits against Social Warfare [wordpress.org], a plugin used by 70,000 sites, started three weeks ago [arstechnica.com]. Developers for that plugin quickly patched the flaw but not before sites that used it were hacked.
All three waves of exploits caused sites that used the vulnerable plugins to surreptitiously redirect visitors to sites pushing tech-support scams and other forms of online graft. In all three cases, the exploits came after a site called Plugin Vulnerabilities [pluginvulnerabilities.com] published detailed disclosures on the underlying vulnerabilities. The posts included enough proof-of-concept exploit code and other technical details to make it trivial to hack vulnerable sites. Indeed, some of the code used in the attacks appeared to have been copied and pasted from the Plugin Vulnerabilities posts.
The author also pointed out that 11 days passed between the disclosure of the Yuzo Related Posts zeroday and the first known reports it was being exploited [wordfence.com]. Those exploits wouldn't have been possible had the developer patched the vulnerability during that interval, the author said.
Asked if there was any remorse for the innocent end users and website owners who were harmed by the exploits, the author said: "We have no direct knowledge of what any hackers are doing, but it seems likely that our disclosures could have led to exploitation attempts. These full disclosures would have long ago stopped if the moderation of the Support Forum was simply cleaned up, so any damage caused by these could have been avoided, if they would have simply agreed to clean that up."
The crux of the author's beef with WordPress support-forum moderators, according to threads such as this one, is that they remove his posts and delete his accounts when he discloses unfixed vulnerabilities in public forums. A recent post on Medium said he was "banned for life" but had vowed to continue the practice indefinitely using made-up accounts. Posts such as this one show Plugin Vulnerabilities' public outrage over WordPress support forums has been brewing since at least 2016.
Ars Technica goes on to editorialize:
To be sure, there's plenty of blame to spread around recent exploits. Volunteer-submitted WordPress plugins have long represented the biggest security risk for sites running WordPress, and so far, developers of the open source CMS haven't figured out a way to sufficiently improve the quality. What's more, it often takes far too long for plugin developers to fix critical vulnerabilities and for site administrators to install them. Warfare Plugins' blog post offers one of the best apologies ever for its role in not discovering the critical flaw before it was exploited.
But the bulk of the blame by far goes to a self-described security provider who readily admits to dropping zerodays as a form of protest or, alternatively, as a way to keep customers safe (as if exploit code was necessary to do that). With no apologies and no remorse from the discloser—not to mention a dizzying number of buggy, poorly-audited plugins in the WordPress repository—it wouldn't be surprising to see more zeroday disclosures in the coming days.
A weakness of community developed software, which is also its biggest strength, is that profit is not the motive. As such, developers may or may not be responsive to reports of security vulnerabilities.
So where do Soylentils fall on this? Is the guy who disclosed the vulnerabilities without reporting them to the developers first most at fault for site compromises, or are the plugin developers who failed to patch their code in a timely fashion the real villans?