While there are many problems when it comes to website security, unfortunately we often find that security companies still feel the need to embellish minor security issues to make them in to much more than they are. This makes it harder to properly address security issues because the public doesn’t have the proper perspective as to the threats out there. It also leads to overhyped news article, since many security journalist simple repeat the claims of security companies without doing any verification.
To show that at work, lets look at something from a recent post from Wordfence. They disclosed that the plugin Caledera Form had a vulnerability that allowed “an attacker to gain access to potentially sensitive data that has been captured by a Caldera Form.” No details were provided as to what the attacker would need to do that, which is really important. If they had, it would be clear that this isn’t a threat for most websites using the plugin.
That is due to the fact that vulnerability was only accessible with a WordPress account on the website. Since most WordPress websites are run by one person or only by trusted people, the chance of one of them trying to exploit the vulnerability is minimal. It only really comes in to play if you have open user registration (this is good reason not enable that if you don’t actually need it) or you have untrusted users with accounts. Due to the nature of the vulnerability the people at Wordfence absolutely knew that it required an account, but they excluded that information when they went public with this.