Dangerous Plugin. A lot of very bad Vulnerabilities

Hi, @tschopo.

Apologies for the slow turnaround in replying to this review!?

I did want to personally reach out and say thanks for taking the time to review here. Your feedback prompted an internal in-depth discussion to address the vulnerabilities mentioned and to improve our security response process, and then I neglected to follow up to let you know!

We’ve always taken security reports with the utmost seriousness, and my priority was to ensure we didn’t overlook anything in your case. Although your post didn’t specify details, I believe the vulnerability you referenced was responsibly disclosed to us by security researchers. We addressed it immediately, and there are no known cases of it having been exploited.

It’s important to acknowledge that vulnerabilities are an inevitable part of any widely used software, particularly in e-commerce. While no software is immune to vulnerabilities, having them reported and resolved is actually a sign of a healthy, actively used product. If vulnerabilities aren’t being reported, it often means the software either isn’t used extensively, or the issues remain undiscovered.

We take every report seriously and work with leading security experts to patch vulnerabilities before they are ever exploited.?

Additionally, this situation underscored the importance of refining our approach to bug and security fixes, which we’ve now updated as follows:

1. Vulnerability Identification: Issues are flagged during internal testing or are reported by users or third parties.

2. Severity Assessment: We assess each issue based on impact, exploitability, exposure, and urgency to determine response priorities.

3. Patch Development: Our security team develops and rigorously tests a patch to address the issue effectively.

Identified vulnerabilities are now automatically categorized as Priority 2 (meaning they are to be fixed within the current development cycle), and unauthenticated vulnerabilities are Priority 1 (meaning we “drop everything and fix it”).

We’ve also enhanced our communication process for security updates to keep our users informed:

Minor Vulnerabilities: Included in weekly product update emails to ensure ongoing awareness.

Critical Vulnerabilities: Communicated immediately through email alerts, social media posts, and blog updates.

Your feedback has been invaluable, and we’re committed to both strengthening our processes and ensuring that users stay informed about updates. Thank you for helping us improve our platform’s security and transparency.

Thank you for acknowledging my feedback, but I find your response deflects the severity of this situation.

Firstly, ranking #5 among WordPress plugins with the most vulnerabilities in a popular vulnerability database is telling on its own. Just this year, this plugin has experienced three critical vulnerabilities—demonstrating a pattern of insufficient code sanitation, which is a basic security practice, not rocket science.

The issue is clearly not limited to “potential” exploitation; my case proves these vulnerabilities are actively being exploited in the wild. In fact, shortly after my review, another remote code execution vulnerability emerged, despite your claims of heightened prioritization and rapid patching. The fact that I had automatic updates enabled underscores that patches are coming too late.

It’s frustrating that you’re downplaying this by framing it as “inevitable” for widely used software. Contrary to your implication, many popular software products remain secure without repeated critical issues.

Your focus seems entirely on reacting to vulnerabilities after they’re discovered and damage control, rather than proactively preventing them through regular, rigorous code audits. Start by hiring programmers that know what they’re doing.

This isn’t simply about communication; it’s about delivering a secure product from the start.