29 Aug

False Reports of Vulnerabilities In Installed Plugins Are Now Listed As Well

When adding a new WordPress plugin vulnerability to the data set for our service we test out the vulnerability. That allows us to do several important things for our customers, which you won’t get with other data providers, who don’t do that.

First, we can warn you when the vulnerability hasn’t actually been fixed, despite a claim to the contrary in the advisory. Once the vulnerability has been disclosed the chances of it being exploited increases, so knowing that you are still vulnerable is important in that instance. If you are using a service that doesn’t do this, you would need to check out each vulnerability yourself to insure it has actually been fixed.

Second, we can determine which versions are vulnerable. The biggest use for that is in dealing with hacked websites, since you will actually know if the version that has been in use was vulnerable and could have been the source of the hack. Other data sources will just list that all version below a certain versions are vulnerable, despite it often being far fewer than that. For example, one widely exploited vulnerability earlier this year existed in only in one version of the plugin. Doing that also allows us to only send you a notification if you are actually using a version that is vulnerable.

Third, we are able to exclude false reports of vulnerabilities from out data. Warning you about a vulnerability that doesn’t exist obviously isn’t helpful.

While it doesn’t make sense to warn you about vulnerabilities that don’t exist as if they exist, knowing that false reports of vulnerabilities exist can be useful. One of the odd things we have noticed in monitoring hacking attempts on our websites is that hackers will sometimes try to exploit vulnerabilities that don’t exist. So if you can see that there is false report that matches hacking attempts on your website, then can stop worrying about that.

When we come across false reports of vulnerabilities in plugin we usually write up a post about the issue, that way we can let others know that it isn’t real and it also allows us to double check that we are correct in determining that the report is false. Up until now if you used our service you would have to search our website to see if there were any false reports for the vulnerabilities you use, which isn’t all that convenient. That changed today with the release of version 2.0.21 of companion plugin for the service, which now lists any false reports of vulnerabilities we have posted about in installed plugins in section below the existing sections for vulnerabilities that have and have existed in the plugins you have installed.


If you have ideas for further improvements to the data we present in the plugin or any similar suggestions please get in touch with us.