Back in September of last year we came across a page on the website WP Loop listing vulnerabilities in WordPress plugins. Upon our taking a look to see if it might contain data from any sources we had yet to become aware of, we noticed that the data was largely, if not entirely simply copied from the free data that is included in the companion plugin for our service. They later started adding more data not from our plugin’s data, but because others don’t do the same work we do to determine what versions of plugins are vulnerable it was also inaccurate data.

More recently we noticed a fair amount of traffic coming to our website from the website firstsiteguide.com. The page the traffic was coming from appeared to be same page as had been on WP Loop before, “Hacked, dangerous & vulnerable WordPress plugins”, but it contained no listing of vulnerabilities (if you visit wploop.com it now redirects to https://firstsiteguide.com/learn-wordpress/).

More recently they re-added a list of vulnerabilities and it is clearly just copied from our plugin. They in no way note that and in fact make it appear that they are compiling the information from multiple sources. At the bottom of the page is the following:

Sources

The list of latest dangerous and vulnerable WordPress plugins is compiled from various sources including:

• WPScan Vulnerability Database
• Offensive Security’s Exploit Database Archive
• Vapid Labs
• CVE Details
• Plugin Vulnerabilities

Notably we are linked to last and what is linked to there is not our plugin, but our website, though the data clearly is coming directly from the plugin.

As of two days ago there were entries for 204 plugins on the page and there were 207 in our plugin. All 204 entries on their page were also included in our plugin’s data. Of the three others that were not on their page, two of the plugins, Brandfolder and mb.miniAudioPlayer, were just added to our plugin’s data on Monday and they then appeared in their list yesterday. That all couldn’t be a coincidence.

There are a number of issues with what they are doing, beyond not properly crediting us.

First it would be much easier for people to install our plugin and check to see if they are using listed plugins that currently or previously contained a vulnerability. Since the plugin does the checking for you, while you would need to search over the list to see if a plugin you are using is or was vulnerable.

If you are checking over their list you could easily miss that a plugin you are using is listed. That is in part due to the fact that while they claim to be listing the plugins name they are not. Take for example mb.miniAudioPlayer, which is listed on their page by the name Wp Miniaudioplayer instead. That isn’t because the plugin has multiple names it is referred to, as does happen fairly often, but because the people behind this list are faking providing the name. What they are doing is taking the slug of a plugin, in the case of this plugin, wp-miniaudioplayer, replacing the hyphens with spaces and the capitalizing each word, which isn’t always even similar to the name the plugin goes by.

There is another very serious problem with their listings, they only list the fist vulnerability included in our data for a plugin. That can be seen with the plugin Display Widgets, which if you followed the recent coverage you would probably remember that the plugin had multiple versions that contain intentionally malicious code. In the firstsiteguide.com’s data though it is only listed as having a “remote code execution” in version 2.6. The reason for that is that we have two listing for that plugin, because there was a different issue in that version than the others:

$plugin_vulnerabilities["display-widgets"] = array(
	"1" => array(
		"FirstVersion" => "2.6",
		"LastVersion" => "2.6",
		"TypeOfVulnerability" => "remote code execution",
		"URL" => "https://stallion-theme.co.uk/display-widgets-plugin-review/"
	),
	"2" => array(
		"FirstVersion" => "2.6.1",
		"LastVersion" => "2.6.3.1 ",
		"TypeOfVulnerability" => "spam post creation",
		"URL" => "https://wordpress.org/support/topic/display-widgets-plugin-v2-6-3-1-includes-hacking-code/"
	),
);

That also makes it quite clear where their data really comes from, because other data sources didn’t list things that way.

Back when we first noticed what had happened when the website was WP Loop we noticed there was companion blog post that made this obviously false claim:

Until now, it might have been impossible for a regular user to know how to find a bad plugin, but that’s where we step in to help you.

We also left a comment at the time noting that they were saying something they knew was false there and also mentioning that list came from our data. If we are recalling things correctly they responded and said it would be noted where the data was really coming, from, though there is no longer any comment like that on the post.