On Tue, 20 Jan 2026 19:26:57 +0000 Moritz Mühlenhoff <[email protected]> wrote:
> But on a more general level, please let's avoid posting WordPress > plugin vulnerabilities on oss-sec. > > Looking at the Debian Security Tracker there are have been 9773 CVE > IDs on WordPress plugins in 2025, they are not packaged in any Linux > distribution and posting a few individual ones really misses the > "There has to be desirable information for others in the Open Source > community" aspect of the list charter. Erh... I disagree. * My understanding of the oss-security list is that it is about the wider Open Source ecosystem, not limited to "stuff packaged in Linux distributions". * Wordpress plugin security is certainly part of Open Source security, and, IMHO, a relevant topic and completely on-topic on this list. * We currently do not have a problem with a flood of Wordpress plugin security issues posted to this list. If that would be a problem, we could deal with it by having a separate list for it, but until then, I think it's completely fine to have such posts every now and then. * My experience with Wordpress plugin issues is that, unfortunately, often the public information available is quite limited. I appreciate when security researchers share information about such vulnerabilities, and, from a brief read, the original mail of this thread looks like a good description of a valid security vulnerability. -- Hanno Böck - Independent security researcher https://itsec.hboeck.de/ https://badkeys.info/
