04 Mar

WPScan Vulnerability Database Fails to Credit Us, But Did Incorrectly Claim Plugin Had Been Fixed From Freemius Vulnerability

When it comes to information on security topics, whether security journalism or elsewhere, what we have found is that often incorrect information is provided that someone could have seen was incorrect if they could check the original source for it, but the original source isn’t listed. That would be the case with something from the WPScan Vulnerability Database’s entry created on Friday on the authenticated option update vulnerability in the Freemius library we discussed Tuesday:

While much of that obviously comes directly from our post (for example, one of their references is the changelog from an unpopular plugin, which surely is not coincidentally cited in our post as part of what led us to notice this), we are notably not mentioned as a reference. Perhaps they want to hide from people relying on their data that there is a higher quality source available?

What doesn’t come from us is the version of the plugins the vulnerability was supposed to be fixed in. One of those is wrong, as their data claims that Popular Snippets was fixed in version 3.0.4:

As we noted in our previous post that was fixed in version 3.0.6, which wasn’t even made available until after the last update was made to WPScan’s entry. If someone had visited our post before we helped to get the plugin fixed, they would have correctly seen it was unfixed.