One of the more troubling things going on with our competitors in providing information about vulnerabilities in WordPress plugins is how those security providers are trying to direct vulnerability reports about plugins away from developers to themselves. Among the problems with that, is it can lead to significant delays in developers getting informed of them. Here, for example, was the timeline that Wordfence disclosed for one recent instance of such redirection:
May 26, 2024 – We received the submission for the PHP Object Injection to Remote Code Execution vulnerability in GiveWP via the Wordfence Bug Bounty Program.
June 10, 2024 – We validated the report and confirmed the proof-of-concept exploit.
June 13, 2024 – We sent the full disclosure details to the vendor’s known email address. [Read more]
