Security vulnerability
-
Hi,
wordfence reported a high level vulnerability:
Had to uninstall the plugin for now. Hope a fix comes so I can reactivate it.
Regards
-
Originally it was discovered by Patchstack, and here’s more information – https://patchstack.com/articles/unpatched-critical-vulnerability-in-ti-woocommerce-wishlist-plugin/, the biggest problem is that vendor was not responding to multiple messages and warnings. I hope they will respond now.
I just saw that only people are affected that have the “WC Fields Factory” plugin also installed!? Would have been a good info also from WordFence instead of getting hysterical.
Also, wouldn´t it be possible to edit the file yourself and delete the line:
'test_type' => false,Until the plugin would be updated it wouldn´t be overwritten or fixed with the new update anyway!?
The reported code is only executed if the third-party plugin WC Fields Factory is installed and the integration with it is enabled in our plugin settings.
If you’re not using this integration, the relevant code is never called, and there is no need to delete or modify any plugin files manually.
We will include a fix for this case in the upcoming update to avoid further confusion.Hi @darius_fx
We respect the importance of security work, but the way this issue was presented creates unnecessary panic around a vulnerability with near-zero real-world impact.
Instead of clearly communicating this to users, Patchstack chose to exaggerate the issue and use it as an opportunity to promote its commercial services within the open-source community.
This approach feels more like a PR tactic than a constructive contribution to WordPress security.We will address the technical detail in the next release — as we always take security seriously — but we also encourage responsible disclosure that prioritizes real impact and honest communication over visibility and marketing.
@templateinvaders let’s see how the timeline looks:
- First report – 2025 March 26 (no answer)
- First warning – 2025 May 1 (no answer)
- Second warning – 2025 May 15 (no answer)
- Public disclosure – 2025 May 16 (silence)
- CVE published – 2025 May 19 (silence)
- Support message – 2025 May 26 (silence)
- First reaction – 2025 May 27 (62 days later…)
It took you 62 days to respond in any meaningful way to the vulnerability. The real concern isn’t just the issue itself, but the fact that it took so long to react – that’s what’s truly alarming. Referencing “honest communication” feels odd when there has been virtually no communication at all. This is exactly why triage processes exist and why full vendor engagement from the first day is critical. And yet, for some reason, you chose to wait 62 days.
@darius_fx What happened when you emailed the plugins team via
plugins[at]wordpress.organd you informed them of this vulnerability?@jdembowski , at this time, we have discontinued sharing vulnerability details with the plugins and themes teams. This decision was made due to previous instances where the plugins team made overly intrusive requests for sensitive information without clearly disclosing who was requesting the data or for what purpose, despite claiming to act on behalf of the plugins team. There is zero transparency about both of those teams and how the data is used, stored, and who has access to it.
It’s essential to clarify that vendors are ultimately responsible for their plugins and themes, and the plugin/theme teams should be considered external parties, not legal stakeholders. Additionally, there is no non-disclosure agreement (NDA) or formal confidentiality agreement between us and these teams.
From a compliance and legal standpoint, particularly under the EU Cyber Resilience Act (CRA), we must consider the risk of significant penalties. Are those teams prepared to accept legal liability for the products in question, including any potential fines for non-compliance with relevant regulations?
We recently began asking the plugins team to reach out to vendors, requesting that they add or update their security contact information in plugin metadata to enable responsible vulnerability disclosure. Instead of facilitating this, we are receiving responses requesting complete vulnerability reports, which is not the intended purpose of our request.
We cannot responsibly share sensitive vulnerability information under these conditions.Everyone please excuse me while I get so off topic for a moment.
tl;dr If you want to get into tit-for-tat conversations here, please do not. That helps no one. You disclosed. Please move on.
Longer version:
NOTE: This is my opinion only and does not reflect any group I may be part of in WordPress.org.
I’m glad that’s out of the way.
This part is nonsense.
The real concern isn’t just the issue itself, but the fact that it took so long to react – that’s what’s truly alarming.
Because of this part.
- First report – 2025 March 26 (no answer)
- First warning – 2025 May 1 (no answer)
- Second warning – 2025 May 15 (no answer)
- Public disclosure – 2025 May 16 (silence)
- CVE published – 2025 May 19 (silence)
- Support message – 2025 May 26 (silence)
- First reaction – 2025 May 27 (62 days later…)
Your timeline clearly shows that you are aware that your contact means is, well, completely wrong and erroneous.
There is a team that has a track record for contacting plugin developers. You choose not to avail yourself of that. That’s on you. You made that decision for the reasons you outlined.
at this time, we have discontinued sharing vulnerability details with the plugins and themes teams.
without clearly disclosing who was requesting the data or for what purpose, despite claiming to act on behalf of the plugins team.
Volunteers on those teams have had to deal with harassment, doxing, people literally sending packages as part of that harassment to their residences and finally death threats. Your participation here does not rise to the level of trust where you get those volunteer’s real identity.
I get this is your business model but your actions strain the concept of “responsible” disclosure. And before anyone makes any threats about anyone impugning anyone’s reputation, that’s my opinion based on your words above. You could re-iterate what you’ve done to date and why but please be assured; it does not matter here.
You can do what you like but please stop getting into discussions attempting to rationalize your actions with developers here. That does not help the users. These are not Patchstack support forums. Anyone here, including me, should be focusing on helping the users who are impacted by the vulnerability.
You could focus on helping the community and you do partly. The partly part in my opinion is by your disclosing. That’s good and people do need to know when something is out there. But you are failing in the contacting part. You could fix that but rationalize not doing so.
Second tl;dr: when someone such as a developer gets shirty about that disclosure, try to be the bigger person.
I now return this topic to it’s regularly scheduled content.
@jdembowski I really don’t have time for discussions like this. I mean, I could spend this time in a much more productive way – bringing greater value to the community. Just for your information: Patchstack has identified over 11,000 vulnerabilities in the WordPress ecosystem, and it cost those affected vendors nothing – $0. However, we spend $250,000+ just on bounties to reach that result and motivate independent researchers. So next time, before questioning our business model, please check the facts and consider the value we’ve delivered to the community.
The only thing we’ve asked from vendors is to respond and patch the vulnerabilities. If you think that’s too much to ask, I’m sorry, but I can’t help you with that.
P.S. fun question – have you ever asked the plugins team how much data we’ve provided over the last four years? Just curious 🙂
P.S. fun question – have you ever asked the plugins team how much data we’ve provided over the last four years? Just curious
Yes. And I doubt your curious about it.
However, we spend-
You’re in the wrong church and wrong pew. That’s a metaphor in case anyone’s wondering.
*Puts back on Forum Moderator hat.*
Here’s the short version: stop looking for topics to advertise your services and links. Really, stop doing that.
If you want to help users, yes, do that. Code examples in these forums to mitigate a vulnerability would be amazing and fantastic to users here, in these forums.
Just sharing your link is not that. That’s just promotion at this point.
Seeing a report from Wordfence and chiming in to get the link to Patchstack in, then getting into a tit-for-tat is about your branding. That’s not for here. And no, I have nothing to do with Wordfence though I do believe they are nice and reasonable people.
If you have any questions feel free to email
forum-moderation[at]wordpress.organd another moderator will discuss it with you. You won’t get their name for reasons I explained above but it will not be me.I always believed moderation was about overseeing and guiding behavior, content, or activities to ensure they align with certain standards or rules – but it seems I was wrong, my bad 🙂
I didn’t expect to be criticized by a moderator on a support forum simply for explaining the situation and sharing the first source that offers more in-depth information about a vulnerability.
Anyway, if a moderator tells me to stop, I won’t argue. I won’t post anything further on the support. If at some point you decide it would be appropriate for me to contribute again, I’ll wait for an email from the mailbox you mentioned 🙂
Have a nice day 😉This conversation has gotten beyond the realm of helping the original poster, so let’s end it here.
Darius, if you want to contact me directly. I am otto at wordpress.org. you can contact me about this topic. I am involved in both the plugins and the security teams.
The topic ‘Security vulnerability’ is closed to new replies.
