oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality

From: Hanno Böck <hanno () hboeck de>
Date: Wed, 21 Jan 2026 11:51:26 +0100
On Tue, 20 Jan 2026 19:26:57 +0000
Moritz Mühlenhoff <jmm () inutil org> wrote:


But on a more general level, please let's avoid posting WordPress
plugin vulnerabilities on oss-sec.

Looking at the Debian Security Tracker there are have been 9773 CVE
IDs on WordPress plugins in 2025, they are not packaged in any Linux
distribution and posting a few individual ones really misses the
"There has to be desirable information for others in the Open Source
community" aspect of the list charter.



Erh... I disagree.

* My understanding of the oss-security list is that it is about the
  wider Open Source ecosystem, not limited to "stuff packaged in Linux
  distributions".

* Wordpress plugin security is certainly part of Open Source security,
  and, IMHO, a relevant topic and completely on-topic on this list.

* We currently do not have a problem with a flood of Wordpress plugin
  security issues posted to this list. If that would be a problem, we
  could deal with it by having a separate list for it, but until then,
  I think it's completely fine to have such posts every now and then.

* My experience with Wordpress plugin issues is that, unfortunately,
  often the public information available is quite limited. I appreciate
  when security researchers share information about such
  vulnerabilities, and, from a brief read, the original mail of this
  thread looks like a good description of a valid security
  vulnerability.

-- 
Hanno Böck - Independent security researcher
https://itsec.hboeck.de/
https://badkeys.info/
Previous By Date Next
Previous By Thread Next

Current thread: