Last week we released an advisory warning people to avoid plugins from Awesome Motive due to repeated inability or unwillingness to fully fix security issues and vulnerabilities in their plugins. One aspect that is so striking about their failure to do that is that Awesome Motive has a chief security officer. How can you have such bad security in that situation? One explanation would be that someone unqualified was simply given that title. We have seen plenty of instances over the years of just such a situation in the security space. A problem with that explanation is that the CSO, Chris Christoff, is the Security Reviewer on the WordPress Plugin Review Team. We don’t know what he actually does on that team, but the team has throughout his tenure shown a lack of ability to properly review the security of plugins (something we tried unsuccessfully to address with Awesome Motive).
After releasing that advisory, we then needed to compile a list of all of Awesome Motive’s plugins so that we could add a warning for them to the various ways our advisory data is distributed. That isn’t exactly easy, as Awesome Motive is notably not upfront on the WordPress Plugin Directory about which plugins are theirs. The team that runs that, the previously mentioned WordPress Plugin Review Team, could address that, but hasn’t. [Read more]