You can get vulnerability data on WordPress plugins from a lot of different sources, but in most cases the underlying data source is the same, the WPScan Vulnerability Database. While we think that is a good data source for a lot of people since you can get access for free, as the old saying goes you get what you pay for. For one thing they don’t actual test out claimed vulnerabilities, so they end up with fake vulnerabilities listed (included ones marked as having been fixed), real vulnerabilities that are not listed being fixed despite that being the case, and the most concerning unfixed vulnerabilities listed as being fixed.

For those looking for that type of protection against plugin vulnerabilities and that can afford our service it will provide you with what we consider to be much better data. For others, they will want to make sure to install our service’s companion plugin, as WPScan’s data is missing many of the vulnerabilities being targeted by hackers that are included in the free data that comes with that (their lack of that data is yet another issue with it).

What we find troubling is that there are products and services that use WPScan’s data without disclosing it is the source or providing any disclaimer as to the reliability of the data. Without those the person relying on the data doesn’t have the chance of understanding that . It also had leads to situations where it appears that multiple companies have found that a plugin contains a vulnerability, when in fact none of them have any idea of that, they simple are passing along WPScan’s data, which wasn’t accurate in those instances.

That brings us to a post on WordPress Support Forum that we ran across recently in our monitoring of that as part of keeping track of what new plugin vulnerabilities are being disclosed. It starts:

I recently bought the PRO version of the popular WP Site Guardian Plugin.
In their plugin Vulnerability section, it detected a problem with the Google XML Sitemaps Plugin.

We hadn’t heard of that plugin and the reference to it being popular seemed a bit odd.

Next they mentioned the details provided about the claimed vulnerability:

It is throwing this error:
Google XML Sitemaps – Authenticated Reflected XSS (via HOST header)

Which redirects to the bottom of this page:
https://plugins.trac.wordpress.org/browser/google-sitemap-generator/trunk/sitemap-ui.php#L1310

It seems quite likely the true source of that that is WPScan’s data as the title matches exactly to what it is in their data “Google XML Sitemaps – Authenticated Reflected XSS (via HOST header)“. The chances that someone else would have come up with that exact title independently are very small. The link in both is the same as well.

It doesn’t look like WP Site Guardian is disclosing their data source and in this case it would be relevant since this doesn’t appear to be a vulnerability. At best the issue looks to be a potential vulnerability. (The person that submitted it WPScan Vulnerability Database contacted us about at the same time they had submitted it to them and we never got a reply as to our question as to whether they had found a way to exploit it (and therefore it was vulnerability).)

In looking into what WP Site Guardian is, things don’t look at exactly on the level.

The website for it lacks any details, just bold claims like this:

WP Site Guardian – Proactive vulnerability Defence for WordPress

Protect against current and previously unknown plugin and theme vulnerabilities with the latest in anti-vulnerability technology.

That sounds impressive, but based on our knowledge of plugin vulnerabilities and our testing of other security plugins that would be difficult to pull off and there is nothing shown to indicate whoever is behind it is actual is doing that. It’s also worth noting that it isn’t clear what a previously unknown vulnerability would refer to, unless it is intentionally malicious code, vulnerabilities would have always been previously unknown otherwise they wouldn’t have existed in the first place.

The rest of the text doesn’t provide any more detail as to what is going on:

WP Site Guardian safe guards your sites by detecting and blocking plugin and theme threats.  Sloppy code on poorly written plugins and themes can leave your site open to threats for hackers looking for any opportunity for entry.

Anyone can make and sell a WordPress plugin, but few people have the skills to code plugins properly and safely.  This means that there are lots of popular products for free or on the market  that on installation will expose your site to hackers.

Even completely new WordPress users know that their security set up should be blocking those gaping holes left behind from coding mistakes or poor practice.  But few users set up the right defenses until it’s too late.

WP Site Guardian is the only WordPress security software that allows you to set it and forget it. WP Site Guardian does daily updates on the safeguards it employs – so your site is always protected with the latest best measures.

You can even be updated on all the threats being blocked or remain blissfully unaware.

Join over 2,000 happy customers and get started with WP Site Guardian today.

The ad that showed up in Google’s search results doesn’t make things look legitimate either:

Visiting the page in that ad we found that it isn’t actually a review and written as if by the developer of the plugin. Strangely that provides a lot more detail than the actual website of the plugin.

While it provides details it doesn’t give us confidence in the product if it was truly from the developer. Take this section:

WordPress itself openly broadcasts every piece of information a hacker needs to hack you, including your WordPress version, your theme & plugin names + versions & with that kind of information it doesn’t matter what security you are running – you are toast even to a script kiddie (baby hacker)

Shields up was developed to make your sites run in “stealth mode” – clearing all the critical information that WP broadcasts by doing so it reduces the risk of hack attacks by up to 95% – hackers simply get bored & move on to an easier target….another amazing pro-active defence tool in our toolbox…

Either this person who wrote this doesn’t know what they are talking about or they are lying to the readers. Hiding that information will have next to no impact. Many hack attempts are totally blind, that is a hacker will try to exploit a WordPress plugin vulnerability without even checking if the website is running WordPress, much less the plugin. In other cases hackers will request plugin file’s that we doubt that a plugin would try to hide, CSS and JavaScript files, since they may need to be accessible in the normal course of using the plugin.

As for the price, remember the ad stated it was 99 off, isn’t listed on the website or through the Buy Now button on the ad’s page, which seems odd as well.

Looking at the rest of the search results we didn’t see anything else that made this seem more legitimate.