26 Sep

Omission of Very Exploitable Vulnerabilities From the WPScan Vulnerability Database Is a Reminder of Its Limitations

If you are looking to be warned about vulnerabilities in the WordPress plugins used on your website there are really only two sources of data available to do that as far as we are aware of. There is the data for our service and the data from the WPScan Vulnerability Database (there are some others out there, but they haven’t been updated in quite some time). While we obviously think highly of our data, we think that for a lot of people that the WPScan data is a good option since it can be accessed for free through several plugins available in the Plugin Directory. That free price though hints at the fact that their data has some important limitations in comparison to the data that is provided when using our service.

Because the vulnerabilities are not actually verified before be included in their data, as we do, that leads to situations where vulnerabilities that don’t actually are exist are included and more problematically leads to vulnerabilities being listed as already being fixed when they still exist in the current version of the plugin. Because we actually test out each vulnerability we are able to catch situation where vulnerabilities have not been fixed and often able to help get those quickly resolved, which limits the impact that false claim that vulnerabilities have been fixed on those relying on WPScan’s data.

Another limitation with their data is that even though it is easier for vulnerabilities to be added to their data since they don’t need to be verified first, we have seen that they are missing a fair amount of recently disclosed vulnerabilities. That can be seen in something we noticed with a set of four vulnerabilities we disclosed a week ago.

Two months ago while looking into the possibility of a vulnerability elsewhere in the code of the plugin N-Media Post Front-end Form we found an arbitrary file upload vulnerability in it. In looking at the other plugins from the same developer we found that there was similar code with the same type of vulnerability in WooCommerce Extra FieldsN-Media Website Contact Form with File Upload, and Front end file upload and manager Plugin. One of those, WooCommerce Extra Fields, was fixed a couple weeks after we notified the developer of the issue, but the other three were not fixed. After waiting two months for them to be fixed we disclosed the vulnerabilities, notified the Plugin Directory of the issue, and they have been removed from that pending a fix (one of those, Front end file upload and manager Plugin, has now been fixed and returned).

Seeing as arbitrary file upload vulnerabilities are probably the most targeted type of vulnerability and we frequently see them being the source of successful hacking attempts, you would want the data source you use to warn you about them. As of today WPScan Vulnerability Database only contains a listing for the vulnerability in N-Media Website Contact Form with File Upload, which was added to their data two days after we disclosed it. We can’t think of a reason why that one would be the only included. One possibility we considered and rule out was that maybe it was the most popular of the plugins, but it only recently had 1,000+ active install according to wordpress.org, while two others had 2,000+ active installs (the final one had only 90+).

Since we discovered the vulnerabilities we have had them in our data since we disclosed them. (We don’t currently include vulnerabilities we have discovered, but not disclosed due to the fact that while it limits our customers knowledge of potential threats against them, it would possible for malicious actors to sign up for the service and use the same data for malicious purposes.)

If you understand the limitations of WPScan Vulnerability Database it can be a good option as the other free option is to not be warned at all. Where things can be more problematic is if a service provider (a web host or security company) is using their data without disclosing the source and not disclosing the limitations inherent in their data.

Their data can sometimes be degraded when used by providers, as we recently found that web security SiteLock appears to be using its data from that and was ignoring some of the data included, leading them to falsely claim that vulnerabilities existed in the WordPress version installed on some websites.

Also, in the case of Shield WordPress Security, they are actually trying to get people to sign up for a paid service on the basis of it checking WPScan’s data, despite the fact that it can be easily access for free through other plugins (incidentally while that plugin is marketed as being the “most powerful” and “most advanced” it has fail to stop exploitation of a vulnerability in a plugin in either of our recent tests of security plugins).