On Wed, Jan 21, 2026 at 6:42 AM Hanno Böck <[email protected]> wrote:
> On Tue, 20 Jan 2026 19:26:57 +0000 > Moritz Mühlenhoff <[email protected]> wrote: > > > But on a more general level, please let's avoid posting WordPress > > plugin vulnerabilities on oss-sec. > > > > Looking at the Debian Security Tracker there are have been 9773 CVE > > IDs on WordPress plugins in 2025, they are not packaged in any Linux > > distribution and posting a few individual ones really misses the > > "There has to be desirable information for others in the Open Source > > community" aspect of the list charter. > > > Erh... I disagree. > > * My understanding of the oss-security list is that it is about the > wider Open Source ecosystem, not limited to "stuff packaged in Linux > distributions". > > * Wordpress plugin security is certainly part of Open Source security, > and, IMHO, a relevant topic and completely on-topic on this list. > > * We currently do not have a problem with a flood of Wordpress plugin > security issues posted to this list. If that would be a problem, we > could deal with it by having a separate list for it, but until then, > I think it's completely fine to have such posts every now and then. > > * My experience with Wordpress plugin issues is that, unfortunately, > often the public information available is quite limited. I appreciate > when security researchers share information about such > vulnerabilities, and, from a brief read, the original mail of this > thread looks like a good description of a valid security > vulnerability. > > -- > Hanno Böck - Independent security researcher > https://itsec.hboeck.de/ > https://badkeys.info/ I agree with Hanno. WordPress is quite a bit of the Internet <https://w3techs.com/technologies/overview/content_management>, and plugins are almost universally open source (or at least, should be, as WordPress is GPL), so it's on-topic. That said, I do agree that a disclosure timeline without dates is useless. That's my only critique for the Mohammed's initial email. Thanks for sharing.
