In reviewing reports of vulnerabilities in WordPress plugin to add to the data set for our service we have seen that the quality of those reports can be quite bad. From inaccurate data on vulnerabilities, including claims that a vulnerability has been fixed when it hasn’t, to what look to be intentionally fake reports of vulnerabilities, we seen it. The end result of us reviewing the reports is that we our able to provide our customers with a higher quality data, without the falsely labeling unfixed vulnerabilities as being fixed or including fake vulnerabilities, than the other data sources for plugin vulnerabilities out there, since they don’t actually review the vulnerabilities.
One of the reasons for the low quality reports is that people putting out vulnerability reports are not always concerned with being truthful and we saw a good example of that yesterday. Over at the 0day.today Inj3ct0r Exploit Database two vulnerability reports in WordPress plugins were added yesterday, one in the plugin Bliss Gallery and the other in Catpro Gallery. We put out reports about those vulnerabilities back in June (the Bliss Gallery report is here and Catpro Gallery is here), so if you were using our service you would have been notified if you were using a vulnerable version of them back then. While it is certainly possible that someone else could have independently spotted these vulnerabilities, in this case the reports are just wholesale copies of content from out posts, without any attempt to hide that. They are not labeled as such though, instead the supposed author is “Thex@b1_Ma”, who lists their “Team” in the reports as the “Islamic State Army”.
They also had a negative comment for “Noobs and Lamer”, despite the fact that they could describe as lamer for claiming the vulnerabilities we discovered as their own.