Yesterday a company named WebARX discussed a vulnerability we had discovered in a WordPress plugin named Social Warfare, though you wouldn’t know that it you read their post:
Last week, an unnamed security researcher publicly disclosed security vulnerabilities in the popular WordPress plugin “Social Warfare“.
Why not properly credit us there? Well one explanation is that they wanted to promote themselves without dealing with the fact that they actually provide a service that provides worse protection then simply keeping your plugins up to date.
We disclosed that vulnerability on the 21st and it was fixed the same day. It was getting exploited that same day. None of that is mentioned in WebARX’s post. Instead they have this chart showing that hacks started the next day (and barely started at that):
In the conclusion of their post they write this:
We strongly encourage you to update Social Warfare plugin to the latest version (3.5.3). It patches both vulnerabilities mentioned in this article.
Firewall rules for both of those vulnerabilities have been shipped to WebARX users since 22nd of March.
Considering that post was released yesterday, the advice to update the plugin is way behind. What the advice should have been is to keep your plugins up to date at all times, since that would have provided you protection on the 21st, which was a day before they claim to have added protection.
What then might explain the chart is that they are only detecting hacking attempt after they have added protection, which means something like that is of limited value.
If you actually want to improve the security of WordPress websites beyond keeping plugins up to date, getting plugins security reviewed would actually do that.