One of the things we do to keep track of what vulnerabilities are out there in WordPress plugins, so that we can provide our customers the best data, is to monitor the WordPress forums for postings related to them. One thing that has lead us to notice is that the quality of postings isn’t always great, take for example a claim of a vulnerability in the plugin Advanced Custom Fields. That claim lead to three separate posts in a matter of a week all mentioning the same issue, instead of those people just adding to the existing post (that isn’t an uncommon occurrence).

In this case the claimed vulnerability is something that we don’t consider a vulnerability. The claimed issue is that the plugin allows cross-site scripting (XSS), but since the only people that would be able to access the functionality needed to do it are Editor and Administrator level users that would normally have the unfiltered_html capability, they are specifically given the ability to use the equivalent of cross-site scripting (XSS) already. It would probably be more accurate to describe the issue as a bug. The people running the Plugin Directory agreed with us that it wasn’t a vulnerability.

It was perfectly reasonable for the posters to have brought this up since your average WordPress user isn’t going to have the expertise to review the report as we can (and had already done when it was released in the beginning of May). What seems to be more of an issue is that others that should be better informed would be passing this claim along without doing the proper checking. One of those was the web host Pantheon, which had notified one of their customers and then the customer had then been one of the posters.

On the homepage of Pantheon’s website they claim to have Enterprise-Grade Security

and they state that they have a

Relentless, around the clock commitment to website security

So it isn’t too much to think they could handle reviewing such a report before passing it along to their customers.

Instead they look to have outsourced doing that to the WPSCan Vulnerability Database.

From the post:

They link to this website: https://wpvulndb.com/vulnerabilities/8481

With a little more checking we found that as part of their WordPress Launch Check tool they take data from the WPScan Vulnerability Database to warn about plugin vulnerabilities. The problem with doing that is that data source is known to not always contain the most accurate information, due to a lack of verification.

Just this week we looked at a completely false report of a vulnerability, which they include in their data. And a couple weeks before that we noticed another false report that they listed and listed as being fixed, but also being a potential false positive that “Needs further investigation.”. How they can know it was fixed, but not be sure if it actually existed in the first place is odd.

It isn’t just including false report of vulnerabilities, they also list vulnerabilities as being fixed in a certain version when the vulnerability has yet to be fixed.

If Pantheon wants to continue to use that data they really should be manually reviewing it before passing it along to customer or at least warn them that is isn’t necessarily accurate.

In the meantime if you are looking for higher quality Plugin vulnerability data, you can always sign up for our service. We verify each vulnerability we add to our data set, so you don’t run into those issues and we help to make sure that outstanding vulnerabilities actually get fixed instead of listing them as being fixed when they are not.