“Automattic has responsibly disclosed a vulnerability in ACF but breached the @Intigriti Code of Conduct by irresponsibly announcing it publicly. I am going to work my damned hardest to ensure that the fix gets shipped to dotorg if it affects the free version of ACF.”
The tweet author is @johnbillion who, among other things, is a member of the WordPress core team and lead of the WordPress core security team.
Context for the “I am going to work my damned hardest...”: WP Engine, who own ACF (Advanced Custom Fields) are currently blocked from the official plugin repo so, I would imagine, they would not be able to push the update on their own.
Except this incident potentially puts people's data at risk, I hope WPEngine forks Wordpress and people swap to the fork, Automattic no longer can be trusted.
I've always been of the understanding that "responsible" disclosure by definition means only disclosing to the vendor. Shouting on twitter that "plugin X has a security vulnerability!" before giving the vendor time to address it is hardly responsible.
Quite the opposite in fact.
"Due to recent events in the WordPress ecosystem, WP Engine employees have been blocked from accessing WordPress.org. This means the ACF team is unable to deploy updates to the free version of ACF hosted on WordPress.org and users running this plugin on their sites were removed from the ability to automatically update to newer versions."[0]
Matt really meant it when he said he was going nuclear.
0. https://www.advancedcustomfields.com/blog/installing-and-upg...