WordPress plugin quirk resulted in UK Gov OBR Budget leak [pdf]

https://obr.uk/docs/dlm_uploads/01122025-Investigation-into-November-2025-EFO-publication-error.pdf

36•robtaylor•44m ago

Comments

kingkool68•34m ago

What was the quirk?

cstuder•31m ago

> A feature known as the Download Monitor plug-in created a webpage with the clear URL which provided a link to the live version, which bypassed the need for authentication. This rendered the protections on the ‘future’ function of WordPress redundant as it bypassed the required authentication needed to gain access to the pre-uploaded document.

WordPress is a nice piece of software, but the plugin situation is getting worse and worse. (Too many pending updates, premium features and constant upselling, selling of plugins to new sketchy owners...)

withinboredom•23m ago

The main issue is that there isn't any governance to the plugin store. Once you have a plugin in there, you have free reign to do whatever you want with it. Getting it in there is a PITA though. For example, a library author and I created a plugin, but they wouldn't let me submit it because I wasn't the other author, and they wouldn't let him submit it because he wasn't me. True story.

kassner•14m ago

TBF there is some scrutiny on existing plugins, the team is just extremely understaffed (it’s ran by volunteers after all). I got involved in a plugin that ended up getting de-listed for some minor ToS violations after several years of being “fine”, they re-reviewed the plugin with the same rigor as a new submission.

devnull3•23m ago

> which provided a link to the live version

Even if that is the case, the backend must validate.

whycome•14m ago

My favorite current plugin woe is where it completely changes what it does but keeps the same name and it's all a part of its 'update'

chippiewill•11m ago

> WordPress is a nice piece of software, but the plugin situation is getting worse and worse

The plugin situation is a mess largely because Wordpress isn't a nice piece of software.

It's popular, and functionally it's great, but the codebase is really showing its age. Wordpress has never properly rearchitected because it would break plugins on a scale that would endanger its dominance.

kstrauser•8m ago

To an outsider, its entire plugin ecosystem is so odd. Like the conversation about “nulled” plugins, where someone removes license-checking code from GPL-licensed plugins and then redistributes them, and whether that’s moral, or even legal, which of course it is, because that’s the entire point of the GPL.

merrvk•27m ago

Why are government organisations which handle sensitive information using Wordpress?

jamesbelchamber•23m ago

There's not anything obviously wrong with using WordPress for publishing documents like this - they are meant to be public after all.

The problem was essentially that, through a misconfiguration, they published it early.

glenjamin•22m ago

There's a couple of passing mentions of Download Monitor, but also the timeline strongly implies that a specific source was simply guessing the URL of the PDF long before it was uploaded

I'm not clear from the doc which of these scenarios is what they're calling the "leak"

shawabawa3•7m ago

> but also the timeline strongly implies that a specific source was simply guessing the URL of the PDF long before it was uploaded

A bunch of people were scraping commonly used urls based on previous OBR reports, in order to report as soon as it was live, as it common with all things of this kind

The mistake was that the URL should have been obfuscated, and only changed to the "clear" URL at publish time, but a public was bypassing that and aliasing the "clear" URL to the obfuscated one

longwave•6m ago

It sounds like a combination of the Download Monitor plugin plus a misconfiguration at the web server level resulted in the file being publicly accessible at that URL when the developers thought it would remain private until deliberately published.

dazc•3m ago

https://obr.uk/docs/dlm_uploads/OBR_Economic_and_fiscal_outl... 5.pdf

Not hard to guess really. Wouldn't they know this was likely and simply choose a less obvious file name?

jamesbelchamber•17m ago

For those of you not closely following UK politics: the Office for Budget Responsibility (OBR) mistakenly published their Economic and Fiscal Outlook (EFO) document 40 minutes early, pre-empting the announcements by the Chancellor.

This is being treated as an incredibly big deal here: https://www.bbc.co.uk/news/articles/cd74v35p77jo

hdgvhicv•3m ago

In the popular press it’s been sidelined because it would distract from the continuous attacks on the chancellor

M2Ys4U•9m ago

>During that period, it was accessed 43 times by 32 unique IP addresses

I find this an implausibly low number. It was all over Bluesky, X etc., not to mention journo Signal and WhatsApp groups.

jamesbelchamber•4m ago

Possibly copies of the document rather than the original URL?

logicchains•3m ago

Maybe it was cached somewhere and most people were hitting the cache?

m4tthumphrey•3m ago

Either that number was wrong like you say OR (and I am unfamiliar with Bluesky) the URL is loaded via Bluesky's browser (like X) and therefore Bluesky's own server IP was used (instead of the user's).

fabian2k•2m ago

> The available mitigation is at server level and prevents access to download or file storage directories directly. If configured properly, this will block access to the clear URL and return a ‘forbidden’ message. This is the second contributory configuration error – the server was not configured in this way so there was nothing to stop access to the clear URL bypassing protections against pre-publication access

That's the main flaw. Wordpress was configured to allow direct access to file, so they did not go through the authentication system. My experience is with Drupal (and a decade or more out of date), but it sounds like this behaves very similar. And this is a giant footgun, the system doesn't behave the way normal people expect if you allow unauthenticated access to files (if you know the URL). I don't understand why you would configure it this way today.

Pacsea – new package manager for Arch Linux

Show HN: Vect AI– The "Resonance Engine" for high-growth marketing

The "Inhuman Centipede" and Identity

Saving Skylab

AI-Assisted Coding Killed My Joy of Programming

Learn with Ari

What is scalability anyway? (2024)

Digital Omnibus: Analysis of GDPR and EPrivacy Proposals by the Commission

The Oceans Are Going to Rise–But When?

Web dev's crawler took down major online bookstore by buying too many books

Zipcar proposes to cease its UK operations

College Students Choosing A.I. Majors over Computer Science

Plato's Republic as an iMessage Thread

Google *Unkills* JPEG XL?

Show HN: Walrus – a Kafka alternative written in Rust

Evo-Memory: Benchmarking LLM Agent Test-Time Learning with Self-Evolving Memory

Impacts of Cyclonic Storm Senyar viewed through Sentinel satellite imagery data

OpenAI Ads Are Coming

Agentive SEO

Alternatives to Police – Do They Work?

Upbit was hacked $37M Solana. How could we have hacked and protected it?

What's new at Stack Overflow: December 2025

ATP signal in the hippocampus may be a key driver of depression and anxiety

The World Still Hasn't Made Sense of ChatGPT

Prompt Injection Through Poetry

Washington Must Break Its Promise on Social Security

Metaverse Solutions

Google, Nvidia, and OpenAI – Stratechery by Ben Thompson

I Went All-In on AI. The MIT Study Is Right

Hasktorch: LibTorch Haskell bindings for deep learning using FFI