Mullenweg: WP Engine Filed Legal Action Against WordPress via @sejournal, @martinibuster

Matt Mullenweg, co-founder of WordPress and CEO of Automattic announced on Reddit that WP Engine initiated legal action against WordPress, Automattic, and Mullenweg himself. Mullenweg wrote that WordPress is countersuing.

WP Engine is a leading managed WordPress host provider that Mullenweg alleges is violating the WordPress trademark.

Mullenweg’s comments came in a Reddit thread titled “Matt Mullenweg needs to step down from WordPress.org leadership ASAP” in which he explained his side of the issue with WP Engine.

He wrote that he discussed the situation with the WP Engine employees attending the WordCamp WordPress conference last Friday in which he mentioned possibly banning WP Engine and that he was trying to resolve his issue with the company up until his closing Q&A which he decided turned into a speech against WP Engine.

Mullenweg described visiting the WP Engine booth at WordCamp and offering to print the employees new attendee badges in the even that WP Engine is banned.

His description:

“That *if* we had to take down the WP Engine booth and ban WP Engine that evening, my colleague Chloé could print them all new personal badges if they still wanted to attend the conference personally, as they are community members, not just their company.”

Mullenweg insisted that he tried to resolve the conflict:

“The entire day I was in discussions with Heather Brunner and Lee Wittlinger trying to de-escalate and resolve their trademark violations and bad behavior in the WordPress community. I returned to the booth around 4:30 PM to say that I had finally gotten a message back from Lee and Heather and was optimistic we could reach a solution so the booth would not be taken down that evening.

I wanted to resolve everything before my presentation on Friday afternoon, where I was either going to do normal Q&A as planned or present the case for what WP Engine has done wrong. Heather and Lee responded to my text messages, but refused to get on a call or reach any sort of verbal understanding with me, and so I delivered the presentation. I was calling both backstage literally minutes before I got on, trying to avoid this entire scenario.

WP Engine has now filed formal legal action against WordPress.org, myself, Automattic, and we are doing the same against them, so I may not be able to comment on this too much in the future.”

Reactions To Mullenweg’s Post

As if this moment there has been no public announcement by WP Engine. Some Redditors in that discussion were incredulous that Mullenweg put a deadline of that afternoon to finalize a solution with WP Engine.

One Redditor posted:

“What could possibly be resolved in a few hours at a conference? Were they to change their name and cut a fat check that day?”

Mullenweg responded:

“They have been stringing things along for years, it appears their main strategy is just to delay resolution while they continue their bad behavior, printing cash.”

This is a developing story, more will be added as it becomes known.

Read Mullenweg’s post:

To be very clear, I was 100% cordial and polite to everyone at the booth

Featured Image by Shutterstock/Wirestock Creators

WordPress Co-Founder Mullenweg Sparks Backlash via @sejournal, @martinibuster

Matt Mullenweg, co-founder of WordPress.org content management system and CEO of Automattic, ended a successful WordCamp USA conference with a poorly received keynote that sharply criticized a prominent managed WordPress web host. The overwhelming response was negative toward his statements and a subsequent blog post that continued his combative remarks.

The response on social media to his speech and blog post was so immense that at one point “WordPress” was the number one trending topic on X (formerly Twitter).

This article doesn’t take sides, it’s only reporting what was said and the general response to it.

What Happened

WordPress is built on the idea of a worldwide community working together to create an open source system for publishing ideas. It is responsible for the creation of perhaps millions of jobs, enabled countless ecommerce companies to sell online and created multiple markets and services that would not otherwise exist, all of it built on the idea of community.

WordCamp is the physical manifestation of the WordPress community, a conference organized by volunteers that enables WordPress users at every level to meet and exchange ideas. It’s ordinarily an uplifting and inspirational event which is why nobody was prepared for the bombshell that would close the week of events beginning on September 17th and ending on the 20th.

It’s not that there weren’t hints. Matt Mullenweg published a blog post on the first day of the conference that begins on a cheerful note then becomes progressively darker.

He begins by praising the community that powers WordPress and is responsible for WordCamp:

“If you ever have a chance to visit a WordCamp, I recommend it. It’s an amazing group of people brought together by this crazy idea that by working together regardless of our differences or where we came from or what school we went to we can be united by a simple yet groundbreaking idea: that software can give you more Freedom.”

Mullenweg then criticized Meta as “disingenuously” claiming to participate in the open source movement and then praised companies that give back to the open source WordPress community as part of the Five for the Future program (in which companies are encouraged to put 5% back into growing the WordPress platform).

He then openly criticized WP Engine for not contributing enough.

The amounts that companies are giving back to WordPress is the ax that Mullenweg was swinging in his conference closing keynote on Friday, specifically calling out WP Engine by name.

Ending A Conference On A Low Note

Mullenweg stated that there are some companies that use up resources without giving back, following up by pointing a finger at WP Engine for only sponsoring 40 hours per week of work toward improving the WordPress core.

He said:

“And there are those that treat open source simply as a resource to extract from its natural surroundings, like oil from the grounds, a finite resource, something to be extracted and used.

…a lot of this information that I’m sharing with you all has come from WP engine employees who’ve reached out to me and and talked to me about all this. So thank you all for being brave and for sharing this information that you think your company is doing something wrong.

WP Engine has good people, some of whom are listed on that page, but the company is controlled by Silver Lake, a private equity firm with 102 billion in assets under management. Silver Lake doesn’t give a dang about your open source ideals, it just wants return on capital.”

Matt Mullenweg then took the step of encouraging the WordPress community to find a different web host. He didn’t directly name WP Engine or call for a boycott, but the meaning of his words were not lost on the audience, given that he just accused WP Engine of not giving “a dang about …open source ideals.”

He said:

“So it’s at this point that I ask everyone in the WordPress community to go vote with your wallet. Who are you giving your money to? Someone who is going to nourish the ecosystem or someone is going to frack every bit of value out of it until it withers?”

Followed a minute later with:

“Think about that next time it comes up to renew your hosting or domain. Weigh your dollars towards companies that give back more…

Those of us who are makers who curate the source need to be wary of those who take our curations and squeeze out the juice. They’re grifters who will hop on to the next fad.”

Mullenweg said that he tried to speak with them beforehand but couldn’t get through.

Shocked Audience Sides With WP Engine

Near the end of his keynote, Mullenweg commented about a potential ban on WP Engine at future WordCamps was met with a surprising silence from the audience, with only a few applauding.

Matt Cromwell, co-Founder of GiveWP, tweeted:

“No one I spoke with at #wcus sympathized with @photomatt’s take on @wpengine’s contributions to WP.

One thing is clear: if you want to encourage more contributions to WP don’t light contributors on fire on stage. There’s more to the story between A8C and Silver Lake than we know”

Someone else tweeted:

“I didn’t know how to feel after the public shaming of WP Engine by Matt today. I tried to see both sides….and I felt upset at WP Engine & at Matt at the same time.

After seeing what transpired the hours since on X, I believe it was wrong to call out WP Engine and believe this did more harm. “

Another wrote:

“I work very closely with @WPEngine in my day job. They’ve got some fantastic people over there, and are doing many different things to further WordPress in many different ways.

And I will continue to work with them happily.”

Mullenweg Doubles Down

Mullenweg’s keynote wasn’t the end of his negative criticism. On Saturday he published an article on the official WordPress.org blog that amplified the remarks from his keynote that also generated a largely negative response on social media, with some on X and Facebook even calling for him to step down.

Mullenweg wrote:

“I spoke yesterday at WordCamp about how Lee Wittlinger at Silver Lake, a private equity firm with $102B assets under management, can hollow out an open source community. Today, I would like to offer a specific, technical example of how they break the trust and sanctity of our software’s promise to users to save themselves money so they can extract more profits from you.”

The rest of the blog post gets worse.

Backlash Overwhelmingly Against Mullenweg

One of the cleverest responses is published on WPHercules website which is word for word copy of Mullenweg’s article but with the words WP Engine replaced with WordPress.com (the managed WordPress hosting service), titled WordPress.com Is Not WordPress.org

WordPress agency owner Kevin Geary wrote in a blog response:

“This wasn’t my first WordCamp, but I legitimately felt bad for first-timers. Imagine an awesome and uplifting week ending like the Payback scene in The Sum of All Fears… A little awkward.

…Matt has presumably attempted diplomacy multiple times in different ways over the years as he passed that collection plate around, but without great success when it comes to WP Engine.

The question now becomes, is public ridicule and shame a valid approach? And should this ridicule and shame get delivered in the closing talk at a WordCamp?”

A WordPress community member tweeted that the post “ridiculous and completely unnecessary” and that WP apparently stands for “We’re petty.”

A negative tweet that is representative of the general mood:

“It’s been concerning for a few years now – at least for me. I don’t think a CEO should attack people/corps based on personal opinions, no matter if right or wrong. Not good for the WordPress ecosystem tbh. Agree?”

Another member of the WordPress community tweeted:

“When I go to an event or trade show, I do not assume the organizers support or endorse every vendor.

I also don’t expect them to criticize any vendor publicly at the event.”

Another tweet:

• “Congrats on embarrassing yourself and alienating the #WordPress community to close out #WCUS!
• Truly inspirational.”

And another:

“There’s been talk of the “existential” threat to WordPress’ standing for a number of years. Now it’s crystal clear that Matt is that existential threat.”

Targeting Of WP Engine Perceived As Unfair

This article isn’t taking sides, it’s only reporting what was said and how the WordPress community responded.

Some background information for those who may not be aware is that WP Engine is a managed web host that voluntarily contributes to the development of WordPress core, supports WordCamp and develops free plugins enjoyed by millions of WordPress publishers such as Advanced Custom Fields, LocalWP, WPGraphQL, Better Search Replace, and WP Migrate Lite.

The backlash on social media is firmly against Matt Mullenweg, including in the private Facebook group Dynamic WordPress (registration required) where a discussion generated over 100 posts. One member of the group who attended WordCamp remarked on the shocked faces of WordCamp attendees and more than one person wrote “Matt needs to go!” as others sympathized with WP Engine.

Watch Mullenweg’s keynote at the 7:08:25 minute mark ( 7 hour, 8 minute, 25 seconds):

Featured Image by Shutterstock/Krakenimages.com

Patchstack WordPress Security Secures $5M, Adds Yoast Co-Founder to Board via @sejournal, @martinibuster

WordPress security company Patchstack announced a round of $5 million USD funding and the addition of Joost de Valk, co-founder of Yoast SEO, to their board. The funding will accelerate the development of Patchstack toward becoming the fastest full-cycle security solution.

Patchstack – Trusted Security Partner

Patchstack, based in Estonia, is a fast growing WordPress security company that is trusted by major web hosts, plugins and websites around the world. It recently released a free security tool for open-source software vendors that helps them comply with the upcoming European Cyber Resilience Act compliance.

Patchstack is a highly regarded WordPress security company that is trusted by customers such as GoDaddy, Digital Ocean, Plesk, and cPanel and is a security partner with over 300 WordPress plugins such as Elementor, WP Rocket, WP Bakery Page Builder and Slider Revolution.

Patchstack provides security scans for over five million websites every day and offers a free plugin for vulnerability detection and a low cost real-time protection (starting at $5 per website/month).

The announcement by Patchstack offers details of the $5 million dollar funding:

“Estonian cybersecurity startup Patchstack who in 2022 received €2.7M R&D grant from European Innovation Council announced an additional 5 million USD funding round to further their mission of covering the entire lifecycle of open-source security to provide the fastest mitigation to the emerging security threats.

Patchstack’s Series A round was led by Karma Ventures, an early-stage venture capital fund focusing on deep-tech software companies, with participation from G+D Ventures, the German TrustTech investor, and Emilia Capital, the investment firm of Yoast founders Marieke van de Rakt and Joost de Valk.”

Joost de Valk commented to Search Engine Journal:

“Patchstack is really an amazing company and product. I recently joined their board.”

He’s right, Patchstack currently prevents millions of vulnerability attacks and should be on the shortlist of security solutions for every WordPress website. Although WordPress security is not considered an SEO-related concern it actually should be an important factor of every SEO audit because all it takes is one major vulnerability event to lose the trust of customers and site visitors which can impact earnings and rankings.

Featured Image by Shutterstock/Krakenimages.com

New WordPress 6.6.2 Fixes Important Display Issue via @sejournal, @martinibuster

WordPress 6.6.2 introduces 26 bug fixes, including an important one that resolves a CSS issue affecting site appearance. Fifteen fixes address the WordPress core, while eleven focus on the Gutenberg block editor.

Maintenance Release – CSS Specificity

WordPress maintenance releases aren’t generally major updates to WordPress and are intended to fix issues that were introduced through new features from the last major update, in this case version 6.6.

This maintenance release is no different and contains a fix for a feature called CSS specificity that was introduced in WordPress 6.6.

CSS is the code that controls what a web page looks like in terms of colors, sizes, margins and spaces. Specificity means what style belongs to a web page element (like a section of page or something else more granular). CSS Specificity is a reference to a set of rules belonging to the WordPress core that determine which CSS property applies when there is ambiguity as to which property should apply. The purpose of CSS Specificity was initially developed as a way to make it simple for theme developers to overrule WordPress core styles with their own styles.

However it was discovered that the implementation of CSS Specificity introduced several issues that significantly affected what the web page looked like.

WordPress 6.6.2 fixes this issue and for that reason publishers who’ve had issues should consider updating.

Other Fixes

This maintenance release contains 15 fixes to the WordPress core and 11 fixes to the Gutenberg block editor.

Examples of fixes in the Core included in the maintenance release:

Sample Of Fixes In Gutenberg:

Reception Of 6.6.2

Publishers who haven’t experienced this update should feel confident about upgrading to this version. Initial reports in the private Dynamic WordPress Facebook Group is positive, with the admin of the group, David McCan, reporting he’d rolled it out to ten sites without experiencing any issues (link to discussion, must join the Facebook group to read).

Read The Official WordPress announcement

WordPress 6.6.2 Maintenance Release

Featured Image by Shutterstock/Cast Of Thousands

New LiteSpeed Cache Vulnerability Puts 6 Million Sites at Risk via @sejournal, @martinibuster

Another vulnerability was discovered in the LiteSpeed Cache WordPress plugin—an Unauthenticated Privilege Escalation that could lead to a total site takeover. Unfortunately, updating to the latest version of the plugin may not be enough to resolve the issue.

LiteSpeed Cache Plugin

The LiteSpeed Cache Plugin is a website performance optimization plugin that has over 6 million installations. A cache plugin stores a static copy of the data used to create a web page so that the server doesn’t have to repeatedly fetch the exact same page elements from the database every time a browser requests a web page.

Storing the page in a “cache” reduced the server load and speeds up the time it takes to deliver a web page to a browser or a crawler.

LiteSpeed Cache also does other page speed optimizations like compressing CSS and JavaScript files (minifying), puts the most important CSS for rendering a page in the HTML code itself (inlined CSS) and other optimizations that together make a site faster.

Unauthenticated Privilege Escalation

An unauthenticated privilege escalation is a type of vulnerability that allows a hacker to attain site access privileges without having to sign in as a user. This makes it easier to hack a site in comparison to an authenticated vulnerability that requires a hacker to first attain a certain privilege level before being able to execute the attack.

Unauthenticated privilege escalation typically occurs because of a flaw in a plugin (or theme) and in this case it’s a data leak.

Patchstack, the security company that discovered the vulnerability writes that vulnerability can only be exploited under two conditions:

“Active debug log feature on the LiteSpeed Cache plugin.

Has activated the debug log feature once before (not currently active now) and the /wp-content/debug.log file is not purged or removed.”

Discovered By Patchstack

The vulnerability was discovered by researchers at Patchstack WordPress security company, which offers a free vulnerability warning service and advanced protection for as little as $5/month.

Oliver Sild Founder of Patchstack explained to Search Engine Journal how this vulnerability was discovered and warned that updating the plugin is not enough, that a user still needs to manually purge their debug logs.

He shared these specifics about the vulnerability:

“It was found by our internal researcher after we processed the vulnerability from a few weeks ago.

Important thing to keep in mind with this new vulnerability is that even when it gets patched, the users still need to purge their debug logs manually. It’s also a good reminder not to keep debug mode enabled in production.”

Recommended Course of Action

Patchstack recommends that users of LiteSpeed Cache WordPress plugin update to at least version 6.5.0.1.

Read the advisory at Patchstack:

Critical Account Takeover Vulnerability Patched in LiteSpeed Cache Plugin

Featured Image by Shutterstock/Teguh Mujiono

WordPress Just Locked Down Security For All Plugins & Themes via @sejournal, @martinibuster

WordPress announced a major clampdown to protect its theme and plugin ecosystem from password insecurity. These improvements follow a flurry of attacks in June that compromised multiple plugins at the source.

Improves Plugin Developer Security

This WordPress security update fixes a flaw that allowed hackers to use compromised passwords from other breaches to unlock developer accounts that used the same credentials and had “commit access” enabling them to make changes to the plugin code right at the source. This closes a WordPress security gap that allowed hackers to compromise multiple plugins beginning in late June of this year.

Double Layer Of Developer Security

WordPress is introducing two layers of security, one on the individual developer account and a second one on the code commit access. This separates the author security credentials from the code committing environment.

1. Two-Factor Authorization

The first improvement to security is the imposition of a mandatory two-factor authorization for all plugin and theme authors that will be enforced beginning on October 1, 2024. WordPress is already prompting users to use 2FA. Users can also visit this page to configure their two-factor authorization.

2. SVN Passwords

WordPress also announced it will begin using SVN (Subversion) passwords, an additional layer of security for authenticating developers as a part of a version control system. SVN ensures that only authorized individuals can make changes to the code, adding a second layer of security to plugins and themes.

The WordPress announcement explains:

“We’ve introduced an SVN password feature to separate your commit access from your main WordPress.org account credentials. This password functions like an application or additional user account password. It protects your main password from exposure and allows you to easily revoke SVN access without having to change your WordPress.org credentials. Generate your SVN password in your WordPress.org profile.”

WordPress noted that technical limitations prevented them from using 2FA to existing code repositories, thereby requiring them to use SVN instead.

Takeaway: Vastly Improved WordPress Security

These changes will results in greater security for the entire WordPress ecosystem and immensely contribute to ensuring that all plugins and themes are trustworthy and not compromised at the source.

Read the announcement

Upcoming Security Changes for Plugin and Theme Authors on WordPress.org

Featured Image by Shutterstock/Cast Of Thousands

Vulnerabilities In Two WordPress Contact Form Plugins Affect +1.1 Million via @sejournal, @martinibuster

Advisories have been issued regarding vulnerabilities discovered in two of the most popular WordPress contact form plugins, potentially affecting over 1.1 million installations. Users are advised to update their plugins to the latest versions.

+1 Million WordPress Contact Forms Installations

The affected contact form plugins are Ninja Forms, (with over 800,000 installations) and Contact Form Plugin by Fluent Forms (+300,000 installations). The vulnerabilities are not related to each other and arise from separate security flaws.

Ninja Forms is affected by a failure to escape a URL which can lead to a reflected cross-site scripting attack (reflected XSS) and the Fluent Forms vulnerability is due to an insufficient capability check.

Ninja Forms Reflected Cross-Site Scripting

A a Reflected Cross-Site Scripting vulnerability, which the Ninja Forms plugin is at risk for, can allow an attacker to target an admin level user at a website in order to gain their associated website privileges. It requires taking an extra step to trick an admin into clicking a link. This vulnerability is still undergoing assessment and has not been assigned a CVSS threat level score.

Fluent Forms Missing Authorization

The Fluent Forms contact form plugin is missing a capability check which could lead to unauthorized ability to modify an API (an API is a bridge between two different software that allows them to communicate with each other).

This vulnerability requires an attacker to first attain subscriber level authorization, which can be achieved on a WordPress sites that has the subscriber registration feature turned on but is not possible for those that don’t. This vulnerability was assigned a medium threat level score of 4.2 (on a scale of 1 – 10).

Wordfence describes this vulnerability:

“The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized Malichimp API key update due to an insufficient capability check on the verifyRequest function in all versions up to, and including, 5.1.18.

This makes it possible for Form Managers with a Subscriber-level access and above to modify the Mailchimp API key used for integration. At the same time, missing Mailchimp API key validation allows the redirect of the integration requests to the attacker-controlled server.”

Recommended Action

Users of both contact forms are recommended to update to the latest versions of each contact form plugin. The Fluent Forms contact form is currently at version 5.2.0. The latest version of Ninja Forms plugin is 3.8.14.

Read the NVD Advisory for Ninja Forms Contact Form plugin: CVE-2024-7354

Read the NVD advisory for the Fluent Forms contact form: CVE-2024

Read the Wordfence advisory on Fluent Forms contact form:
Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.18 – Missing Authorization to Authenticated (Subscriber+) Mailchimp Integration Modification

Featured Image by Shutterstock/Cast Of Thousands

WordPress Insiders Discuss WordPress Stagnation via @sejournal, @martinibuster

A recent webinar featuring WordPress executives from Automattic and Elementor, along with developers and Joost de Valk, discussed the stagnation in WordPress growth, exploring the causes and potential solutions.

Stagnation Was The Webinar Topic

The webinar, “Is WordPress’ Market share Declining? And What Should Product Businesses Do About it?” was a frank discussion about what can be done to increase the market share of new users that are choosing a web publishing platform.

Yet something that came up is that there are some areas that WordPress is doing exceptionally well so it’s not all doom and gloom. As will be seen later on, the fact that the WordPress core isn’t progressing in terms of specific technological adoption isn’t necessarily a sign that WordPress is falling behind, it’s actually a feature.

Yet there is a stagnation as mentioned at the 17:07 minute mark:

“…Basically you’re saying it’s not necessarily declining, but it’s not increasing and the energy is lagging. “

The response to the above statement acknowledged that while there are areas of growth like in the education and government sectors, the rest was “up for grabs.”

Joost de Valk spoke directly and unambiguously acknowledged the stagnation at the 18:09 minute mark:

“I agree with Noel. I think it’s stagnant.”

That said, Joost also saw opportunities with ecommerce, with the performance of WooCommerce. WooCommerce, by the way, outperformed WordPress as a whole with a 6.80% year over year growth rate, so there’s a good reason that Joost was optimistic of the ecommerce sector.

A general sense that WordPress was entering a stall however was not in dispute, as shown in remarks at the 31:45 minute mark:

“… the WordPress product market share is not decreasing, but it is stagnating…”

Facing Reality Is Productive

Humans have two ways to deal with a problem:

1. Acknowledge the problem and seek solutions
2. Pretend it’s not there and proceed as if everything is okay

WordPress is a publishing platform that’s loved around the world and has literally created countless jobs, careers, powered online commerce as well as helped establish new industries in developing applications that extend WordPress.

Many people have a stake in WordPress’ continued survival so any talk about WordPress entering a stall and descent phase like an airplane that reached the maximum altitude is frightening and some people would prefer to shout it down to make it go away.

But facts cannot be brushed aside and that’s what this podcast tried to do. Everyone in the discussion has a stake in the continued growth of WordPress and their goal was not malign WordPress but discuss the current situation, identify what it is and try to reach an understanding of ways to solve the problem.

The live webinar featured:

• Miriam Schwab, Elementor’s Head of WP Relations
• Rich Tabor, Automattic Product Manager
• Joost de Valk, founder of Yoast SEO
• Co-hosts Matt Cromwell and Amber Hinds, both members of the WordPress developer community moderated the discussion.

WordPress Market Share Stagnation

The webinar acknowledged that WordPress market share, the percentage of websites online that use WordPress, was stagnating. Stagnation is a state at which something is neither moving forward nor backwards, it is simply stuck at an in between point. And that’s what was openly acknowledged and the main point of the discussion was understanding the reasons why and what could be done about it.

Statistics gathered by the HTTPArchive and published on Joost de Valk’s blog show that WordPress experienced a year over year growth of 1.85%, having spent the year growing and contracting its market share. For example, over the latest month over month period the market share dropped by -0.28%.

Crowing about the WordPress 1.85% growth rate as evidence that everything is fine is to ignore that a large percentage of new businesses and websites coming online are increasingly going to other platforms, with year over year growth rates of other platforms outpacing the rate of growth of WordPress.

Out of the top 10 Content Management Systems, only six experienced year over year (YoY) growth.

CMS YoY Growth

1. Webflow: 25.00%
2. Shopify: 15.61%
3. Wix: 10.71%
4. Squarespace: 9.04%
5. Duda: 8.89%
6. WordPress: 1.85%

Why Stagnation Is A Problem

An important point made in the webinar is that stagnation can have a negative trickle-down effect on the business ecosystem by reducing growth opportunities and customer acquisition. If fewer of the new businesses coming online are opting in for WordPress are clients that will never come looking for a theme, plugin, development or SEO service.

It was noted at the 4:18 minute mark by Joost de Valk:

“…when you’re investing and when you’re building a product in the WordPress space, the market share or whether WordPress is growing or not has a deep impact on how easy it is to well to get people to, to buy the software that you want to sell them.”

Perception Of Innovation

One of the potential reasons for the struggle to achieve significant growth is the perception of a lack of innovation, pointed out at the 16:51 minute mark that there’s still no integration with popular technologies like Next JS, an open-source web development platform that is optimized for fast rollout of scalable and search-friendly websites.

It was observed at the 16:51 minute mark:

“…and still today we have no integration with next JS or anything like that…”

Someone else agreed but also expressed at the 41:52 minute mark, that the lack of innovation in the WordPress core can also be seen as a deliberate effort to make WordPress extensible so that if users find a gap a developer can step in and make a plugin to make WordPress be whatever users and developers want it to be.

“It’s not trying to be everything for everyone because it’s extensible. So if WordPress has a… let’s say a weakness for a particular segment or could be doing better in some way. Then you can come along and develop a plug in for it and that is one of the beautiful things about WordPress.”

Is Improved Marketing A Solution

One of the things that was identified as an area of improvement is marketing. They didn’t say it would solve all problems. It was simply noted that competitors are actively advertising and promoting but WordPress is by comparison not really proactively there. I think to extend that idea, which wasn’t expressed in the webinar, is to consider that if WordPress isn’t out there putting out a positive marketing message then the only thing consumers might be exposed to is the daily news of another vulnerability.

Someone commented in the 16:21 minute mark:

“I’m missing the excitement of WordPress and I’m not feeling that in the market. …I think a lot of that is around the product marketing and how we repackage WordPress for certain verticals because this one-size-fits-all means that in every single vertical we’re being displaced by campaigns that have paid or, you know, have received a a certain amount of funding and can go after us, right?”

This idea of marketing being a shortcoming of WordPress was raised earlier in the webinar at the 18:27 minute mark where it was acknowledged that growth was in some respects driven by the WordPress ecosystem with associated products like Elementor driving the growth in adoption of WordPress by new businesses.

They said:

“…the only logical conclusion is that the fact that marketing of WordPress itself is has actually always been a pain point, is now starting to actually hurt us.”

Future Of WordPress

This webinar is important because it features the voices of people who are actively involved at every level of WordPress, from development, marketing, accessibility, WordPress security, to plugin development. These are insiders with a deep interest in the continued evolution of WordPress as a viable platform for getting online.

The fact that they’re talking about the stagnation of WordPress should be of concern to everybody and that they are talking about solutions shows that the WordPress community is not in denial but is directly confronting situations, which is how a thriving ecosystem should be responding.

Watch the webinar:

Is WordPress’ Market share Declining? And What Should Product Businesses Do About it?

Featured Image by Shutterstock/Krakenimages.com

Vulnerabilities in Two ThemeForest WordPress Themes, 500k+ Sold via @sejournal, @martinibuster

A vulnerability advisory was issued about two WordPress themes found on ThemeForest that could allow a hacker to delete arbitrary files and inject malicious scripts into a website.

Two WordPress Themes Sold On ThemeForest

The two WordPress themes with vulnerabilities are sold on ThemeForest and together they have over a half million sales.

The two themes are:

• Betheme theme for WordPress (306,362 sales)
• The Enfold – Responsive Multi-Purpose Theme for WordPress (260,607 sales)

Betheme Theme for WordPress Vulnerability

Wordfence issued an advisory that The Betheme theme contained a PHP Object Injection vulnerability that was rated as a high threat.

Wordfence was discreet in their description of the vulnerability and offered no details of the specific flaw. However, in the context of a WordPress theme, a PHP Object Injection vulnerability usually arises when a user input is not properly filtered (sanitized) for unwanted uploads and inputs.

This is how Wordfence described it:

“The Betheme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 27.5.6 via deserialization of untrusted input of the ‘mfn-page-items’ post meta value. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin.

If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.”

Has Betheme Theme Been Patched?

Betheme Theme for WordPress has received a patch on August 30, 2024. But Wordfence’s advisory isn’t acknowledging it. It’s possible that the advisory needs to be updated, not sure. Nevertheless, it’s recommended that users of the Enfold theme consider updating their theme to the newest version, which is Version 27.5.7.1.

The Enfold – Responsive Multi-Purpose Theme for WordPress

The Enfold Responsive Multi-Purpose WordPress theme contains a different flaw and was given a lower severity rating of 6.4. That said, the publisher of the theme has not issued a fix for the vulnerability.

A Stored Cross-Site Scripting (XSS) was discovered in the WordPress theme from a flaw originating in a failure to sanitize inputs.

Wordfence describes the vulnerability:

“The Enfold – Responsive Multi-Purpose Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wrapper_class’ and ‘class’ parameters in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

Enfold Vulnerability Has Not Been Patched

The Enfold – Responsive Multi-Purpose Theme for WordPress has not been patched as of this writing and remains vulnerable. The changelog documenting the updates to the theme shows that it was last updated in August 19, 2024.

Screenshot Of Enfold WordPress Theme’s Changelog

The Enfold – Responsive Multi-Purpose Theme for WordPress has not been patched as of this writing and remains vulnerable.

Wordfence’s advisory warned:

“No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.”

Read the advisories:

Betheme <= 27.5.6 – Authenticated (Contributor+) PHP Object Injection

Enfold <= 6.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via wrapper_class and class Parameters