@Marialena.S here we are debating if ClassicPress as an entity should deactivate vulnerable plugins on CP sites or just warn the user to take action.
There are legal issues with having the access level needed from ClassicPress as a CMS project to be able to deactivate a plugin on a user’s site. Also doing so can result in a broken site due to CP organization and the whole entity could be sued legally for this.
In my opinion we, as an open source project, shouldn’t be allowed to access users’ sites to perform such action of deactivation, but problem remains: is warning them enough? Many users see notices when site is already broken from the vulnerability. We need a way to indicate a plugin is unsafe obliging people to secure their sites.
2 Likes