To me this is indistinguishable from an account takeover attack executed by an insider. I doubt any prosecutor would be interested, but to my eyes WordPress.org has violated the CFAA by accessing WordPress instances outside the bounds of their authorization. They were authorized to modify WordPress instances in ways ACF prescribed, not in ways of their own choosing.
I'm not saying I'd like to see Mullenweg in chains, I wouldn't. But WP.org's escalating legal exposure is really concerning. I feel like we're at risk of losing a cornerstone of the web. People are talking about a different open source CMS eating their lunch, but I think the more likely scenario is that people move to Square Space, Wix, Facebook, et cetera, and open source content management becomes niche.
replies(3):