WordPress Files to Trademark ‘Managed WordPress’ & ‘Hosted WordPress’ via @sejournal, @martinibuster

The WordPress Foundation applied to trademark ‘Managed WordPress’ and ‘Hosted WordPress’ for software and hosting services. If approved, this would limit commercial use of these terms by web hosts and even plugins without prior permission.

Trademark Applications Filed By WordPress

The trademark applications for the two hosting related phrases are dated July 12, 2024 and lists the WordPress Foundation as the applicant of the trademarks on the phrases “Managed WordPress” and “Hosted WordPress”.

The WordPress Foundation is the non-profit organization that’s behind the open-source WordPress content management system.

The applications cover the use of the phrases in web hosting, servers for web hosting, downloadable software platforms for web hosting, cloud hosting services, SaaS services, software for managing website content (including downloadable software), web development software, downloadable software for design and managing websites, and plugin software.

Why WordPress Filed Trademarks

The trademark application is filed on an “Intent to Use” basis, which means that they say they’re going to use it.

The trademark applications both inform:

“The applicant has a bona fide intention, and is entitled, to use the mark in commerce on or in connection with the identified
goods/services.”

Who Wants To Own The Trademarks?

The trademark application was filed by the WordPress Foundation, a non-profit entity that is separate from the for-profit Automattic. Yet it was Automattic that was demanding money in exchange for a license to use certain WordPress related phrase.

How can Automattic make claims for trademarks that are claimed by WordPress Foundation, a separate legal entity? The answer to the question may be that the WordPress Foundation has an agreement with Automattic for commercial use and enforcing their trademarks.

The cease and desist sent by WP Engine to Automattic explains:

“During calls on September 17th and 19th, for instance, Automattic CFO Mark Davies told a WP Engine board member that Automattic would “go to war” if WP Engine did not agree to pay its competitor Automattic a significant percentage of its gross revenues – tens of millions of dollars in fact – on an ongoing basis. Mr. Davies suggested the payment ostensibly would be for a “license” to use certain trademarks like WordPress, even though WP Engine needs no such license.

WP Engine’s uses of those marks to describe its services – as all companies in this space do – are fair uses under settled trademark law and consistent with WordPress’ own guidelines.”

The back and forth between WordPress, Matt Mullenweg and WP Engine omits this little detail but it suggests that Automattic is licensed to enforce trademarks on behalf of the WordPress Foundation.

Implications Of Trademark Filing

The trademark application could have an impact on web hosts that use the phrases “Managed WordPress” and “Hosted WordPress” because the WordPress Foundation would be able to enforce their ownership of the phrase or ask for licensing fees.

The WordPress Foundation’s role in this trademark application is to assert legal control over the terms “Managed WordPress” and “Hosted WordPress” so as to control what entities are able to use those phrases.

If the trademark application passes examination then there is supposed to be a period of time where third parties can file objections to the trademark application.

Read the trademark applications here:

Managed WordPress Trademark Application

Hosted WordPress Trademark Application

Featured Image by Shutterstock/Wirestock Creators

WP Engine C&D Alleges “Coercive Threats” By Mullenweg via @sejournal, @martinibuster

WP Engine issued a cease and desist letter to Matt Mullenweg, demanding he stop making ‘false, misleading, and disparaging statements’ and cease using his position at WordPress.org to benefit his for-profit company, Automattic. The letter refutes Mullenweg’s public accusations and outlines his demands for tens of millions of dollars to avoid taking a ‘nuclear approach’ against WP Engine.

A screenshot of a text message by Mullenweg states:

If you’re saying “next week” that’s saying “no”, so I will proceed with the scorched earth nuclear approach to WPE

Thank you for the clarity, it gives me time to work on things and hone my message.

WP Engine Cease And Desist

Matt Mullenweg, co-founder of WordPress and CEO of the for-profit Automattic, posted on Reddit and in a Slack channel that WordPress had initiated litigation against WordPress and himself. It was later revealed that WP Engine had in fact filed a Cease and Desist request (C&D).

The C&D document, sent to the Automattic Chief Legal Officer, documents what it says are false factual statements, outlines a timeline of events, and rebuts Mullenweg’s allegations, accusations and statements.

WP Engine makes four key demands:

1. Cease Making False Factual Statements Regarding WP Engine.
2. Cease Interfering with WP Engine’s Contractual Relationships With its Employees.
3. Cease Interfering with WP Engine’s Contractual Relationships With its Customers
4. Preserve All Potentially Relevant Documents and Data.

Mullenweg Accused Of Serious Misconduct

Automattic is accused of “serious misconduct” toward WP Engine, laying out its version of events including that Mullenweg threatened to take a “scorched earth nuclear approach” against WP Engine if it refused to agree to give Automattic tens of millions of dollars in cash by 4:30 PM.

When the deadline for an agreement was not met, the legal document states that Mullenweg publicly made disparaging remarks against WP Engine in front of a live audience, on YouTube and on blog posts on the non-profit WordPress.org website.

In fact, Mullenweg’s posts were linked from the admin panel of every WordPress site around the world, millions of websites.

Screenshot Of A WordPress Admin Panel

Accused Of Abusing His Privileged Position Of Power

WP Engine’s C&D accuses Mullenweg of abusing his unique position as both the CEO of a competitor (Automattic, Inc.) and as a director at the non-profit WordPress.org which produces the open source WordPress content management system.

The document states:

“Mr. Mullenweg’s statements also reflect a clear abuse of his conflicting roles as both (1) the Director of the non-profit WordPress Foundation, and (2) the CEO of at least two for-profit businesses that compete with WP Engine.

…Mr. Mullenweg’s covert demand that WP Engine hand over tens of millions to his for-profit company Automattic, while publicly masquerading as an altruistic protector of the WordPress community, is disgraceful.”

List Of Disparaging Remarks Against WP Engine

WP Engine’s C&D documents all the remarks Mullenweg made:

• Encouragement of WordPress users to switch away from WP Engine
• Suggesting that WP Engine is retaliatory towards its employees
• Accusing WP Engine of misusing the trademarks
• Accusing WP Engine investors of not caring about open source
• Suggesting that WP Engine may be retaliatory against own employees

WP Engine’s C&D rebuts every allegation by Mullenweg, addressing each instance point by point.

Among the rebuttals:

Rebuttal Of Accusation That WP Engine Contributes Little

“Even considering Mr. Mullenweg’s incorrect statement that contribution is only based on hours worked and contributors to Five for the Future, Mr. Mullenweg falsely stated that WP Engine is failing on this metric. In reality, WP Engine is ranked 30 out of 189 in hours contributed and 16 out of 189 in contributors, significantly outpacing multiple other contributors relative to our revenue.”

Rebuttal Of Trademark Misuse

“WP Engine’s use of “WP” is explicitly permitted by WordPress Foundation’s trademark policy:

‘The abbreviation ‘WP’ is not covered by the WordPress trademarks and you are free to use it in any way you see fit.’

Moreover, WP Engine’s use of the WordPress mark is entirely compliant with governing trademark law. For more than a decade, WP Engine has fairly used that term to describe its services, as other members of the WordPress ecosystem do.”

Speculation Of WP Engine Retaliation

“Is not just false and wholly unsubstantiated – it is also absurd.”

What’s Next?

The next move appears to be up to Mullenweg. Many member’s of the WordPress community have already expressed surprise about what Mullenweg did and some on Reddit are calling for Mullenweg to step down.

Screenshot Of Call For Mullenweg To Step Down

Read the official Cease and Desist here (PDF).

Mullenweg: WP Engine Filed Legal Action Against WordPress via @sejournal, @martinibuster

Matt Mullenweg, co-founder of WordPress and CEO of Automattic announced on Reddit that WP Engine initiated legal action against WordPress, Automattic, and Mullenweg himself. Mullenweg wrote that WordPress is countersuing.

WP Engine is a leading managed WordPress host provider that Mullenweg alleges is violating the WordPress trademark.

Mullenweg’s comments came in a Reddit thread titled “Matt Mullenweg needs to step down from WordPress.org leadership ASAP” in which he explained his side of the issue with WP Engine.

He wrote that he discussed the situation with the WP Engine employees attending the WordCamp WordPress conference last Friday in which he mentioned possibly banning WP Engine and that he was trying to resolve his issue with the company up until his closing Q&A which he decided turned into a speech against WP Engine.

Mullenweg described visiting the WP Engine booth at WordCamp and offering to print the employees new attendee badges in the even that WP Engine is banned.

His description:

“That *if* we had to take down the WP Engine booth and ban WP Engine that evening, my colleague Chloé could print them all new personal badges if they still wanted to attend the conference personally, as they are community members, not just their company.”

Mullenweg insisted that he tried to resolve the conflict:

“The entire day I was in discussions with Heather Brunner and Lee Wittlinger trying to de-escalate and resolve their trademark violations and bad behavior in the WordPress community. I returned to the booth around 4:30 PM to say that I had finally gotten a message back from Lee and Heather and was optimistic we could reach a solution so the booth would not be taken down that evening.

I wanted to resolve everything before my presentation on Friday afternoon, where I was either going to do normal Q&A as planned or present the case for what WP Engine has done wrong. Heather and Lee responded to my text messages, but refused to get on a call or reach any sort of verbal understanding with me, and so I delivered the presentation. I was calling both backstage literally minutes before I got on, trying to avoid this entire scenario.

WP Engine has now filed formal legal action against WordPress.org, myself, Automattic, and we are doing the same against them, so I may not be able to comment on this too much in the future.”

Reactions To Mullenweg’s Post

As if this moment there has been no public announcement by WP Engine. Some Redditors in that discussion were incredulous that Mullenweg put a deadline of that afternoon to finalize a solution with WP Engine.

One Redditor posted:

“What could possibly be resolved in a few hours at a conference? Were they to change their name and cut a fat check that day?”

Mullenweg responded:

“They have been stringing things along for years, it appears their main strategy is just to delay resolution while they continue their bad behavior, printing cash.”

This is a developing story, more will be added as it becomes known.

Read Mullenweg’s post:

To be very clear, I was 100% cordial and polite to everyone at the booth

Featured Image by Shutterstock/Wirestock Creators

WordPress Co-Founder Mullenweg Sparks Backlash via @sejournal, @martinibuster

Matt Mullenweg, co-founder of WordPress.org content management system and CEO of Automattic, ended a successful WordCamp USA conference with a poorly received keynote that sharply criticized a prominent managed WordPress web host. The overwhelming response was negative toward his statements and a subsequent blog post that continued his combative remarks.

The response on social media to his speech and blog post was so immense that at one point “WordPress” was the number one trending topic on X (formerly Twitter).

This article doesn’t take sides, it’s only reporting what was said and the general response to it.

What Happened

WordPress is built on the idea of a worldwide community working together to create an open source system for publishing ideas. It is responsible for the creation of perhaps millions of jobs, enabled countless ecommerce companies to sell online and created multiple markets and services that would not otherwise exist, all of it built on the idea of community.

WordCamp is the physical manifestation of the WordPress community, a conference organized by volunteers that enables WordPress users at every level to meet and exchange ideas. It’s ordinarily an uplifting and inspirational event which is why nobody was prepared for the bombshell that would close the week of events beginning on September 17th and ending on the 20th.

It’s not that there weren’t hints. Matt Mullenweg published a blog post on the first day of the conference that begins on a cheerful note then becomes progressively darker.

He begins by praising the community that powers WordPress and is responsible for WordCamp:

“If you ever have a chance to visit a WordCamp, I recommend it. It’s an amazing group of people brought together by this crazy idea that by working together regardless of our differences or where we came from or what school we went to we can be united by a simple yet groundbreaking idea: that software can give you more Freedom.”

Mullenweg then criticized Meta as “disingenuously” claiming to participate in the open source movement and then praised companies that give back to the open source WordPress community as part of the Five for the Future program (in which companies are encouraged to put 5% back into growing the WordPress platform).

He then openly criticized WP Engine for not contributing enough.

The amounts that companies are giving back to WordPress is the ax that Mullenweg was swinging in his conference closing keynote on Friday, specifically calling out WP Engine by name.

Ending A Conference On A Low Note

Mullenweg stated that there are some companies that use up resources without giving back, following up by pointing a finger at WP Engine for only sponsoring 40 hours per week of work toward improving the WordPress core.

He said:

“And there are those that treat open source simply as a resource to extract from its natural surroundings, like oil from the grounds, a finite resource, something to be extracted and used.

…a lot of this information that I’m sharing with you all has come from WP engine employees who’ve reached out to me and and talked to me about all this. So thank you all for being brave and for sharing this information that you think your company is doing something wrong.

WP Engine has good people, some of whom are listed on that page, but the company is controlled by Silver Lake, a private equity firm with 102 billion in assets under management. Silver Lake doesn’t give a dang about your open source ideals, it just wants return on capital.”

Matt Mullenweg then took the step of encouraging the WordPress community to find a different web host. He didn’t directly name WP Engine or call for a boycott, but the meaning of his words were not lost on the audience, given that he just accused WP Engine of not giving “a dang about …open source ideals.”

He said:

“So it’s at this point that I ask everyone in the WordPress community to go vote with your wallet. Who are you giving your money to? Someone who is going to nourish the ecosystem or someone is going to frack every bit of value out of it until it withers?”

Followed a minute later with:

“Think about that next time it comes up to renew your hosting or domain. Weigh your dollars towards companies that give back more…

Those of us who are makers who curate the source need to be wary of those who take our curations and squeeze out the juice. They’re grifters who will hop on to the next fad.”

Mullenweg said that he tried to speak with them beforehand but couldn’t get through.

Shocked Audience Sides With WP Engine

Near the end of his keynote, Mullenweg commented about a potential ban on WP Engine at future WordCamps was met with a surprising silence from the audience, with only a few applauding.

Matt Cromwell, co-Founder of GiveWP, tweeted:

“No one I spoke with at #wcus sympathized with @photomatt’s take on @wpengine’s contributions to WP.

One thing is clear: if you want to encourage more contributions to WP don’t light contributors on fire on stage. There’s more to the story between A8C and Silver Lake than we know”

Someone else tweeted:

“I didn’t know how to feel after the public shaming of WP Engine by Matt today. I tried to see both sides….and I felt upset at WP Engine & at Matt at the same time.

After seeing what transpired the hours since on X, I believe it was wrong to call out WP Engine and believe this did more harm. “

Another wrote:

“I work very closely with @WPEngine in my day job. They’ve got some fantastic people over there, and are doing many different things to further WordPress in many different ways.

And I will continue to work with them happily.”

Mullenweg Doubles Down

Mullenweg’s keynote wasn’t the end of his negative criticism. On Saturday he published an article on the official WordPress.org blog that amplified the remarks from his keynote that also generated a largely negative response on social media, with some on X and Facebook even calling for him to step down.

Mullenweg wrote:

“I spoke yesterday at WordCamp about how Lee Wittlinger at Silver Lake, a private equity firm with $102B assets under management, can hollow out an open source community. Today, I would like to offer a specific, technical example of how they break the trust and sanctity of our software’s promise to users to save themselves money so they can extract more profits from you.”

The rest of the blog post gets worse.

Backlash Overwhelmingly Against Mullenweg

One of the cleverest responses is published on WPHercules website which is word for word copy of Mullenweg’s article but with the words WP Engine replaced with WordPress.com (the managed WordPress hosting service), titled WordPress.com Is Not WordPress.org

WordPress agency owner Kevin Geary wrote in a blog response:

“This wasn’t my first WordCamp, but I legitimately felt bad for first-timers. Imagine an awesome and uplifting week ending like the Payback scene in The Sum of All Fears… A little awkward.

…Matt has presumably attempted diplomacy multiple times in different ways over the years as he passed that collection plate around, but without great success when it comes to WP Engine.

The question now becomes, is public ridicule and shame a valid approach? And should this ridicule and shame get delivered in the closing talk at a WordCamp?”

A WordPress community member tweeted that the post “ridiculous and completely unnecessary” and that WP apparently stands for “We’re petty.”

A negative tweet that is representative of the general mood:

“It’s been concerning for a few years now – at least for me. I don’t think a CEO should attack people/corps based on personal opinions, no matter if right or wrong. Not good for the WordPress ecosystem tbh. Agree?”

Another member of the WordPress community tweeted:

“When I go to an event or trade show, I do not assume the organizers support or endorse every vendor.

I also don’t expect them to criticize any vendor publicly at the event.”

Another tweet:

• “Congrats on embarrassing yourself and alienating the #WordPress community to close out #WCUS!
• Truly inspirational.”

And another:

“There’s been talk of the “existential” threat to WordPress’ standing for a number of years. Now it’s crystal clear that Matt is that existential threat.”

Targeting Of WP Engine Perceived As Unfair

This article isn’t taking sides, it’s only reporting what was said and how the WordPress community responded.

Some background information for those who may not be aware is that WP Engine is a managed web host that voluntarily contributes to the development of WordPress core, supports WordCamp and develops free plugins enjoyed by millions of WordPress publishers such as Advanced Custom Fields, LocalWP, WPGraphQL, Better Search Replace, and WP Migrate Lite.

The backlash on social media is firmly against Matt Mullenweg, including in the private Facebook group Dynamic WordPress (registration required) where a discussion generated over 100 posts. One member of the group who attended WordCamp remarked on the shocked faces of WordCamp attendees and more than one person wrote “Matt needs to go!” as others sympathized with WP Engine.

Watch Mullenweg’s keynote at the 7:08:25 minute mark ( 7 hour, 8 minute, 25 seconds):

Featured Image by Shutterstock/Krakenimages.com

Patchstack WordPress Security Secures $5M, Adds Yoast Co-Founder to Board via @sejournal, @martinibuster

WordPress security company Patchstack announced a round of $5 million USD funding and the addition of Joost de Valk, co-founder of Yoast SEO, to their board. The funding will accelerate the development of Patchstack toward becoming the fastest full-cycle security solution.

Patchstack – Trusted Security Partner

Patchstack, based in Estonia, is a fast growing WordPress security company that is trusted by major web hosts, plugins and websites around the world. It recently released a free security tool for open-source software vendors that helps them comply with the upcoming European Cyber Resilience Act compliance.

Patchstack is a highly regarded WordPress security company that is trusted by customers such as GoDaddy, Digital Ocean, Plesk, and cPanel and is a security partner with over 300 WordPress plugins such as Elementor, WP Rocket, WP Bakery Page Builder and Slider Revolution.

Patchstack provides security scans for over five million websites every day and offers a free plugin for vulnerability detection and a low cost real-time protection (starting at $5 per website/month).

The announcement by Patchstack offers details of the $5 million dollar funding:

“Estonian cybersecurity startup Patchstack who in 2022 received €2.7M R&D grant from European Innovation Council announced an additional 5 million USD funding round to further their mission of covering the entire lifecycle of open-source security to provide the fastest mitigation to the emerging security threats.

Patchstack’s Series A round was led by Karma Ventures, an early-stage venture capital fund focusing on deep-tech software companies, with participation from G+D Ventures, the German TrustTech investor, and Emilia Capital, the investment firm of Yoast founders Marieke van de Rakt and Joost de Valk.”

Joost de Valk commented to Search Engine Journal:

“Patchstack is really an amazing company and product. I recently joined their board.”

He’s right, Patchstack currently prevents millions of vulnerability attacks and should be on the shortlist of security solutions for every WordPress website. Although WordPress security is not considered an SEO-related concern it actually should be an important factor of every SEO audit because all it takes is one major vulnerability event to lose the trust of customers and site visitors which can impact earnings and rankings.

Featured Image by Shutterstock/Krakenimages.com

New WordPress 6.6.2 Fixes Important Display Issue via @sejournal, @martinibuster

WordPress 6.6.2 introduces 26 bug fixes, including an important one that resolves a CSS issue affecting site appearance. Fifteen fixes address the WordPress core, while eleven focus on the Gutenberg block editor.

Maintenance Release – CSS Specificity

WordPress maintenance releases aren’t generally major updates to WordPress and are intended to fix issues that were introduced through new features from the last major update, in this case version 6.6.

This maintenance release is no different and contains a fix for a feature called CSS specificity that was introduced in WordPress 6.6.

CSS is the code that controls what a web page looks like in terms of colors, sizes, margins and spaces. Specificity means what style belongs to a web page element (like a section of page or something else more granular). CSS Specificity is a reference to a set of rules belonging to the WordPress core that determine which CSS property applies when there is ambiguity as to which property should apply. The purpose of CSS Specificity was initially developed as a way to make it simple for theme developers to overrule WordPress core styles with their own styles.

However it was discovered that the implementation of CSS Specificity introduced several issues that significantly affected what the web page looked like.

WordPress 6.6.2 fixes this issue and for that reason publishers who’ve had issues should consider updating.

Other Fixes

This maintenance release contains 15 fixes to the WordPress core and 11 fixes to the Gutenberg block editor.

Examples of fixes in the Core included in the maintenance release:

Sample Of Fixes In Gutenberg:

Reception Of 6.6.2

Publishers who haven’t experienced this update should feel confident about upgrading to this version. Initial reports in the private Dynamic WordPress Facebook Group is positive, with the admin of the group, David McCan, reporting he’d rolled it out to ten sites without experiencing any issues (link to discussion, must join the Facebook group to read).

Read The Official WordPress announcement

WordPress 6.6.2 Maintenance Release

Featured Image by Shutterstock/Cast Of Thousands

New LiteSpeed Cache Vulnerability Puts 6 Million Sites at Risk via @sejournal, @martinibuster

Another vulnerability was discovered in the LiteSpeed Cache WordPress plugin—an Unauthenticated Privilege Escalation that could lead to a total site takeover. Unfortunately, updating to the latest version of the plugin may not be enough to resolve the issue.

LiteSpeed Cache Plugin

The LiteSpeed Cache Plugin is a website performance optimization plugin that has over 6 million installations. A cache plugin stores a static copy of the data used to create a web page so that the server doesn’t have to repeatedly fetch the exact same page elements from the database every time a browser requests a web page.

Storing the page in a “cache” reduced the server load and speeds up the time it takes to deliver a web page to a browser or a crawler.

LiteSpeed Cache also does other page speed optimizations like compressing CSS and JavaScript files (minifying), puts the most important CSS for rendering a page in the HTML code itself (inlined CSS) and other optimizations that together make a site faster.

Unauthenticated Privilege Escalation

An unauthenticated privilege escalation is a type of vulnerability that allows a hacker to attain site access privileges without having to sign in as a user. This makes it easier to hack a site in comparison to an authenticated vulnerability that requires a hacker to first attain a certain privilege level before being able to execute the attack.

Unauthenticated privilege escalation typically occurs because of a flaw in a plugin (or theme) and in this case it’s a data leak.

Patchstack, the security company that discovered the vulnerability writes that vulnerability can only be exploited under two conditions:

“Active debug log feature on the LiteSpeed Cache plugin.

Has activated the debug log feature once before (not currently active now) and the /wp-content/debug.log file is not purged or removed.”

Discovered By Patchstack

The vulnerability was discovered by researchers at Patchstack WordPress security company, which offers a free vulnerability warning service and advanced protection for as little as $5/month.

Oliver Sild Founder of Patchstack explained to Search Engine Journal how this vulnerability was discovered and warned that updating the plugin is not enough, that a user still needs to manually purge their debug logs.

He shared these specifics about the vulnerability:

“It was found by our internal researcher after we processed the vulnerability from a few weeks ago.

Important thing to keep in mind with this new vulnerability is that even when it gets patched, the users still need to purge their debug logs manually. It’s also a good reminder not to keep debug mode enabled in production.”

Recommended Course of Action

Patchstack recommends that users of LiteSpeed Cache WordPress plugin update to at least version 6.5.0.1.

Read the advisory at Patchstack:

Critical Account Takeover Vulnerability Patched in LiteSpeed Cache Plugin

Featured Image by Shutterstock/Teguh Mujiono

WordPress Just Locked Down Security For All Plugins & Themes via @sejournal, @martinibuster

WordPress announced a major clampdown to protect its theme and plugin ecosystem from password insecurity. These improvements follow a flurry of attacks in June that compromised multiple plugins at the source.

Improves Plugin Developer Security

This WordPress security update fixes a flaw that allowed hackers to use compromised passwords from other breaches to unlock developer accounts that used the same credentials and had “commit access” enabling them to make changes to the plugin code right at the source. This closes a WordPress security gap that allowed hackers to compromise multiple plugins beginning in late June of this year.

Double Layer Of Developer Security

WordPress is introducing two layers of security, one on the individual developer account and a second one on the code commit access. This separates the author security credentials from the code committing environment.

1. Two-Factor Authorization

The first improvement to security is the imposition of a mandatory two-factor authorization for all plugin and theme authors that will be enforced beginning on October 1, 2024. WordPress is already prompting users to use 2FA. Users can also visit this page to configure their two-factor authorization.

2. SVN Passwords

WordPress also announced it will begin using SVN (Subversion) passwords, an additional layer of security for authenticating developers as a part of a version control system. SVN ensures that only authorized individuals can make changes to the code, adding a second layer of security to plugins and themes.

The WordPress announcement explains:

“We’ve introduced an SVN password feature to separate your commit access from your main WordPress.org account credentials. This password functions like an application or additional user account password. It protects your main password from exposure and allows you to easily revoke SVN access without having to change your WordPress.org credentials. Generate your SVN password in your WordPress.org profile.”

WordPress noted that technical limitations prevented them from using 2FA to existing code repositories, thereby requiring them to use SVN instead.

Takeaway: Vastly Improved WordPress Security

These changes will results in greater security for the entire WordPress ecosystem and immensely contribute to ensuring that all plugins and themes are trustworthy and not compromised at the source.

Read the announcement

Upcoming Security Changes for Plugin and Theme Authors on WordPress.org

Featured Image by Shutterstock/Cast Of Thousands

Vulnerabilities In Two WordPress Contact Form Plugins Affect +1.1 Million via @sejournal, @martinibuster

Advisories have been issued regarding vulnerabilities discovered in two of the most popular WordPress contact form plugins, potentially affecting over 1.1 million installations. Users are advised to update their plugins to the latest versions.

+1 Million WordPress Contact Forms Installations

The affected contact form plugins are Ninja Forms, (with over 800,000 installations) and Contact Form Plugin by Fluent Forms (+300,000 installations). The vulnerabilities are not related to each other and arise from separate security flaws.

Ninja Forms is affected by a failure to escape a URL which can lead to a reflected cross-site scripting attack (reflected XSS) and the Fluent Forms vulnerability is due to an insufficient capability check.

Ninja Forms Reflected Cross-Site Scripting

A a Reflected Cross-Site Scripting vulnerability, which the Ninja Forms plugin is at risk for, can allow an attacker to target an admin level user at a website in order to gain their associated website privileges. It requires taking an extra step to trick an admin into clicking a link. This vulnerability is still undergoing assessment and has not been assigned a CVSS threat level score.

Fluent Forms Missing Authorization

The Fluent Forms contact form plugin is missing a capability check which could lead to unauthorized ability to modify an API (an API is a bridge between two different software that allows them to communicate with each other).

This vulnerability requires an attacker to first attain subscriber level authorization, which can be achieved on a WordPress sites that has the subscriber registration feature turned on but is not possible for those that don’t. This vulnerability was assigned a medium threat level score of 4.2 (on a scale of 1 – 10).

Wordfence describes this vulnerability:

“The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized Malichimp API key update due to an insufficient capability check on the verifyRequest function in all versions up to, and including, 5.1.18.

This makes it possible for Form Managers with a Subscriber-level access and above to modify the Mailchimp API key used for integration. At the same time, missing Mailchimp API key validation allows the redirect of the integration requests to the attacker-controlled server.”

Recommended Action

Users of both contact forms are recommended to update to the latest versions of each contact form plugin. The Fluent Forms contact form is currently at version 5.2.0. The latest version of Ninja Forms plugin is 3.8.14.

Read the NVD Advisory for Ninja Forms Contact Form plugin: CVE-2024-7354

Read the NVD advisory for the Fluent Forms contact form: CVE-2024

Read the Wordfence advisory on Fluent Forms contact form:
Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.18 – Missing Authorization to Authenticated (Subscriber+) Mailchimp Integration Modification

Featured Image by Shutterstock/Cast Of Thousands