One of the important things we do when collecting vulnerability data in WordPress plugins for our customers is that we test out each vulnerability. That allows our customers to know what versions of the plugins are vulnerable, which can be rather important when dealing with a hacked websites, since it could be that an outdated version in use is not actually vulnerable since the vulnerability only existed in newer versions (vulnerabilities can exists in as little as a single version). It also allows us to identify when vulnerabilities have not actually been fixed, other similar service don’t do the same so you are left thinking you are protected against the vulnerability when you are still vulnerable. It also means that we don’t include false reports of vulnerabilities in our data set.
From dealing with plenty of hacked WordPress websites over the years we know the pain of digging through the vulnerability reports out there to try to identify the source of hacking, when the logging needed to most accurately identity the source of the hack is not available. Sometimes it is rather obvious that a vulnerability report you are looking at is false, other times it isn’t easy. While looking at a report of a serious vulnerability in the WP-DownloadManager plugin the other day we noticed that a websites that aggregates vulnerability reports, the 0day.today Inj3ct0r Exploit Database, is falsely labeling false reports of vulnerability as being verified to work.
In the case of that report we found that it was entirely false. The claim was that the plugin had an arbitrary file upload vulnerability, but in reality the plugin was properly securing its intended functionality for uploading files to Administrator level users, who would normally have the equivalent capability of an arbitrary file upload vulnerability.
While posting a comment on it to let people know that is was in fact a false report, we noticed that the was message that stated that it had been “Verified by 0day Admin”. Hovering over that message brought up another message that says “This material is checked by Administration and absolutely workable.”
That obviously isn’t correct, but it could have been a mistake by someone who wasn’t too familiar with how WordPress works. We then went look at previous false report of a vulnerability, which we had left a comment on the website to let people know was false, and found that it was also listed as being verified. As we discussed in our post about that being false, in that case it was quite obvious that it was faked, so there isn’t any excuse for listing as being verified in that case.
It isn’t clear if they simply list everything as being verified or if they simply don’t actually do anywhere near the level of testing necessary to properly verifying it.
If you are looking for vulnerability data on WordPress plugins that has actually been verified you can sign up for up service. If you have a hacked website, we currently offer a free lifetime subscription to service when we do the hack cleanup for you.