Blog

We process a large number of submissions every day, some of which have a high impact on the WordPress ecosystem, and others less so. In order to ensure that our work effectively helps make the web a safer place, we have to prioritize the submissions we receive. As part of that, we’d like to clarify…

We’ve been alerted that certain vendors are using suboptimal secret management techniques to handle (H/T)OTP encryption keys, which leads to them not bringing any additional security value. Examples we’ve received include storing the encryption key on the database alongside the shared secret it encrypted or using the same key for all sites using the plugin. We…

We receive a non‑negligible amount of submissions every day. We model the risk they represent for site owners, figure out what kind of privilege is required to successfully exploit the issue, and forward the information to plugin and theme authors to get it fixed. This is can get pretty time-consuming, especially when we need to scavenge…