WordPress plugin configuration error caused UK budget leak at the OBR
According to a new report, an incorrectly configured WordPress extension resulted in the early release of last week’s UK autumn budget, prompting the resignation of Richard Hughes, the head of the OBR and chief overseer of UK government expenditure.
The OBR said it has become clear that two mutually contributory configuration errors were made in the OBR’s use of pre-publication features. One is the configuration of WordPress. A feature known as the Download Monitor plug-in created a webpage with the clear URL which provided a link to the live version, which bypassed the need for authentication.
This rendered the protections on the ‘future’ function of WordPress redundant as it bypassed the required authentication needed to gain access to the preuploaded document. The creation of a URL in the clear is a feature of the plug-in which requires specific mitigation if it is not to lead to the document unintentionally being visible before publication.
This was obviously not understood within the OBR’s online publishing function so the Download Monitor plug-in should not have been used in this way without that understanding.
The available mitigation is at server level and prevents access to download or file storage directories directly. If configured properly, this will block access to the clear URL and return a ‘forbidden’ message. This is the second contributory configuration error – the server was not configured in this way so there was nothing to stop access to the clear URL bypassing protections against pre-publication access.
In short, the technical causes of the premature access were two mutually contributory configuration errors, one in the configuration and use of Download Monitor, a third-party WordPress plug-in, and one in the configuration of WordPress and the underlying server.
A straightforward solution would be to move the OBR’s online publication systems to the government’s independent subdomain, where the government provides the digital architecture but the independent body publishes what it wants, when it wants.
This is the approach taken by many other independent bodies. There may be other publication shelters
with greater resources than the OBR in the public sector and the OBR may also want to consider an interim route of publication of the Spring 2026 EFO via the Treasury, notwithstanding the core requirement for real and perceived independence of OBR publications.
The OBR does not have an ‘IT department’; responsibility is carried by a very few individuals with many other tasks to fulfil.
The above is some of the recommendations and comments in the report, you can read the report in full here – https://obr.uk/docs/dlm_uploads/01122025-Investigation-into-November-2025-EFO-publication-error.pdf

Blogger at www.systemtek.co.uk
