WordPress plugin quirk resulted in UK Gov OBR Budget leak [pdf]

https://obr.uk/docs/dlm_uploads/01122025-Investigation-into-November-2025-EFO-publication-error.pdf

40•robtaylor•49m ago

Comments

kingkool68•39m ago

What was the quirk?

cstuder•36m ago

> A feature known as the Download Monitor plug-in created a webpage with the clear URL which provided a link to the live version, which bypassed the need for authentication. This rendered the protections on the ‘future’ function of WordPress redundant as it bypassed the required authentication needed to gain access to the pre-uploaded document.

WordPress is a nice piece of software, but the plugin situation is getting worse and worse. (Too many pending updates, premium features and constant upselling, selling of plugins to new sketchy owners...)

withinboredom•28m ago

The main issue is that there isn't any governance to the plugin store. Once you have a plugin in there, you have free reign to do whatever you want with it. Getting it in there is a PITA though. For example, a library author and I created a plugin, but they wouldn't let me submit it because I wasn't the other author, and they wouldn't let him submit it because he wasn't me. True story.

kassner•19m ago

TBF there is some scrutiny on existing plugins, the team is just extremely understaffed (it’s ran by volunteers after all). I got involved in a plugin that ended up getting de-listed for some minor ToS violations after several years of being “fine”, they re-reviewed the plugin with the same rigor as a new submission.

devnull3•28m ago

> which provided a link to the live version

Even if that is the case, the backend must validate.

whycome•19m ago

My favorite current plugin woe is where it completely changes what it does but keeps the same name and it's all a part of its 'update'

chippiewill•16m ago

> WordPress is a nice piece of software, but the plugin situation is getting worse and worse

The plugin situation is a mess largely because Wordpress isn't a nice piece of software.

It's popular, and functionally it's great, but the codebase is really showing its age. Wordpress has never properly rearchitected because it would break plugins on a scale that would endanger its dominance.

kstrauser•13m ago

To an outsider, its entire plugin ecosystem is so odd. Like the conversation about “nulled” plugins, where someone removes license-checking code from GPL-licensed plugins and then redistributes them, and whether that’s moral, or even legal, which of course it is, because that’s the entire point of the GPL.

merrvk•32m ago

Why are government organisations which handle sensitive information using Wordpress?

jamesbelchamber•28m ago

There's not anything obviously wrong with using WordPress for publishing documents like this - they are meant to be public after all.

The problem was essentially that, through a misconfiguration, they published it early.

glenjamin•27m ago

There's a couple of passing mentions of Download Monitor, but also the timeline strongly implies that a specific source was simply guessing the URL of the PDF long before it was uploaded

I'm not clear from the doc which of these scenarios is what they're calling the "leak"

shawabawa3•12m ago

> but also the timeline strongly implies that a specific source was simply guessing the URL of the PDF long before it was uploaded

A bunch of people were scraping commonly used urls based on previous OBR reports, in order to report as soon as it was live, as it common with all things of this kind

The mistake was that the URL should have been obfuscated, and only changed to the "clear" URL at publish time, but a public was bypassing that and aliasing the "clear" URL to the obfuscated one

longwave•11m ago

It sounds like a combination of the Download Monitor plugin plus a misconfiguration at the web server level resulted in the file being publicly accessible at that URL when the developers thought it would remain private until deliberately published.

dazc•8m ago

https://obr.uk/docs/dlm_uploads/OBR_Economic_and_fiscal_outl... 5.pdf

Not hard to guess really. Wouldn't they know this was likely and simply choose a less obvious file name?

jamesbelchamber•22m ago

For those of you not closely following UK politics: the Office for Budget Responsibility (OBR) mistakenly published their Economic and Fiscal Outlook (EFO) document 40 minutes early, pre-empting the announcements by the Chancellor.

This is being treated as an incredibly big deal here: https://www.bbc.co.uk/news/articles/cd74v35p77jo

hdgvhicv•8m ago

In the popular press it’s been sidelined because it would distract from the continuous attacks on the chancellor

M2Ys4U•14m ago

>During that period, it was accessed 43 times by 32 unique IP addresses

I find this an implausibly low number. It was all over Bluesky, X etc., not to mention journo Signal and WhatsApp groups.

jamesbelchamber•9m ago

Possibly copies of the document rather than the original URL?

logicchains•8m ago

Maybe it was cached somewhere and most people were hitting the cache?

m4tthumphrey•8m ago

Either that number was wrong like you say OR (and I am unfamiliar with Bluesky) the URL is loaded via Bluesky's browser (like X) and therefore Bluesky's own server IP was used (instead of the user's).

Edit: Or (and more likely) cached/copies of the original.

fabian2k•7m ago

> The available mitigation is at server level and prevents access to download or file storage directories directly. If configured properly, this will block access to the clear URL and return a ‘forbidden’ message. This is the second contributory configuration error – the server was not configured in this way so there was nothing to stop access to the clear URL bypassing protections against pre-publication access

That's the main flaw. Wordpress was configured to allow direct access to file, so they did not go through the authentication system. My experience is with Drupal (and a decade or more out of date), but it sounds like this behaves very similar. And this is a giant footgun, the system doesn't behave the way normal people expect if you allow unauthenticated access to files (if you know the URL). I don't understand why you would configure it this way today.

londons_explore•4m ago

> It is the worst failure in the 15-year history of the OBR

I'm not sure publishing some information 3 hours early was really their biggest failure in 15 years...

Especially when much of the info was already public because hundreds of civil servants involved in making these decisions told their family members who told the press...

afavour•2m ago

It's still a failure in principle. The effects of this particular failure were minimal but it was still an accidental leak of (at the time) private information. They just got lucky.

WordPress plugin quirk resulted in UK Gov OBR Budget leak [pdf]

Why xor eax, eax?

Cartographers Have Been Hiding Covert Illustrations Inside of Switzerland's Maps

Self-hosting a Matrix server for 5 years

Search tool that only returns content created before ChatGPT's public release

A vector graphics workstation from the 70s

Historic Engineering Wonders: Photos That Reveal How They Pulled It Off

The Penicillin Myth

Games using anti-cheats and their compatibility with GNU/Linux or Wine/Proton

It’s been a very hard year

Detection of triboelectric discharges during dust events on Mars

A Love Letter to FreeBSD

Writing a good Claude.md

Trifold is a tool to quickly and cheaply host static websites using a CDN

How to Run Profitable Pricing Experiments?

Advent of Sysadmin 2025

Victorian-style lines for the web: Elements of identical width

SmartTube Compromised

DeepSeekMath-V2: Towards Self-Verifiable Mathematical Reasoning

X210Ai is a new motherboard to upgrade ThinkPad X201/200

Netflix Kills Casting from Its Mobile App to Most Modern TVs

Algorithms for Optimization [pdf]

N-Body Simulator – Interactive 3 Body Problem and Gravitational Physics

Advent of Code 2025

Google Antigravity just deleted the contents of whole drive

Windows drive letters are not limited to A-Z

Migrating Dillo from GitHub

GitHub to Codeberg: my experience

Engineers repurpose a mosquito proboscis to create a 3D printing nozzle

Dancing rope and braid into being (2017) [pdf]

WordPress plugin quirk resulted in UK Gov OBR Budget leak [pdf]

Why xor eax, eax?

Cartographers Have Been Hiding Covert Illustrations Inside of Switzerland's Maps

Self-hosting a Matrix server for 5 years

Search tool that only returns content created before ChatGPT's public release

A vector graphics workstation from the 70s

Historic Engineering Wonders: Photos That Reveal How They Pulled It Off

The Penicillin Myth

Games using anti-cheats and their compatibility with GNU/Linux or Wine/Proton

It’s been a very hard year

Detection of triboelectric discharges during dust events on Mars

A Love Letter to FreeBSD

Writing a good Claude.md

Trifold is a tool to quickly and cheaply host static websites using a CDN

How to Run Profitable Pricing Experiments?

Advent of Sysadmin 2025

Victorian-style lines for the web: Elements of identical width

SmartTube Compromised

DeepSeekMath-V2: Towards Self-Verifiable Mathematical Reasoning

X210Ai is a new motherboard to upgrade ThinkPad X201/200

Netflix Kills Casting from Its Mobile App to Most Modern TVs

Algorithms for Optimization [pdf]

N-Body Simulator – Interactive 3 Body Problem and Gravitational Physics

Advent of Code 2025

Google Antigravity just deleted the contents of whole drive

Windows drive letters are not limited to A-Z

Migrating Dillo from GitHub

GitHub to Codeberg: my experience

Engineers repurpose a mosquito proboscis to create a 3D printing nozzle

Dancing rope and braid into being (2017) [pdf]

WordPress plugin quirk resulted in UK Gov OBR Budget leak [pdf]

Comments