Call a Vulnerability a Vulnerability
Roger Montii reporting for SEJ looks at an Authenticated Stored XSS vulnerability in the WPBakery Page Builder plugin. The vulnerability was discovered by Wordfence and fixed through their collaboration with WPBakery in a recent update. 🍰
Vulnerabilities happen — all the time, and in major plugins. Having them discovered by the good guys and handled this well is how open source is supposed to work — the code and the community. So I think in this case the story is being a little overblown, and the real issue is what Roger notes at the end of his article:
Unfortunately, WPBakery’s changelog does not reflect the urgency of the update because it does not explicitly say that it is patching a vulnerability. The changelog refers to the vulnerability patches as improvements.
Don’t hide security and bug fixes in your changelogs, and be responsible by letting your customers know about the problem — and the solution.🔒