29 Apr

WPScan Vulnerability Database Admits to Intentionally Not Warning About WordPress Plugin Vulnerabilities They Know About

Last Tuesday we disclosed an arbitrary file upload vulnerability in the plugin WooCommerce Checkout Manager caught through our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities, so not surprisingly the customers of our service were also warned about it then. On Thursday we noted on Twitter that we had seen probing for usage of the plugin that was likely coming from hackers. If you were relying some other product or service to let you know about vulnerable WordPress plugins you likely were late in getting notified of that, since many of those use data from the WPScan Vulnerability Database. When it was belated added to their data set on Friday a couple of things stuck out to us, one being that we were not listed as a reference:

The only reference there was to a story at The Hacker News about our disclosure, which contained strange, false claims.

The other being that they claimed the vulnerability was publicly published on Thursday:

The story referenced came out on Friday, so we don’t where that date comes from, but it isn’t right.

We put out a tweet noting that on Friday and the response from the people behind the WPScan Vulnerability Database seems like a good example of what we see far too often in the security industry, which is that you are dealing with adults who act more like children. They claimed that we tweet “every time” we add a vulnerability before them and that “whereas we do not when the opposite happens, which is way more often”. They also stated that:

We also do not want to give trolls publicity, so will only publish once another source has covered it.

The reality of the situation is very different.

First, they don’t seem to know what a “troll” is, since they are describing us as trolls for actually discovering and disclosing vulnerabilities, not just collecting data on vulnerabilities others discover.

The bigger problem there is that these days we are the ones that discover and disclose the majority of vulnerabilities in WordPress plugins, so they are admitting to intentionally excluding adding a majority of vulnerabilities in a timely manner and since other sources don’t cover all of the vulnerabilities we are discovering and disclosing, they are admitting to missing entirely a lot of vulnerabilities. That seems like something someone with the mentality of child would be doing and admit to without realizing they are self-owning. That also means their claim to adding vulnerabilities before us “way more often” couldn’t possibly be true (we don’t tweet every time we are ahead of them, but do mention some instance like this one where they failing to credit us and are behind in adding the vulnerability). Since our data isn’t public like theirs is, they wouldn’t actually know when we are adding vulnerabilities disclosed by others, so their claim seems to be complete fiction, which again gets to the childish mentality.

To give you an idea of how much is missing, take the seven vulnerabilities they list as being the latest plugin vulnerabilities in their data set:

One of those isn’t really a vulnerability (which is a yet another issue with their data), of the remaining six, three of those are vulnerabilities we discovered and disclosed. The vulnerability in Yuzo Related Posts was disclosed by us 11 days before they added it. The vulnerabilities in YellowPencil Visual CSS Style Editor and WooCommerce Checkout Manager were disclosed by us 3 days before they added them. In each case they lied about the date the vulnerability was originally published, which makes it seems that they were not as far as behind as they really were.

Between March 10 when the oldest vulnerability they list was added and today we have discovered and disclosed 8 vulnerabilities they are missing:

So our claim that we are discovering and disclosing the majority of WordPress plugin vulnerabilities isn’t an exaggeration and the claim they make to be adding vulnerabilities before us “way more often” also couldn’t be true.

In addition to the vulnerabilities we discovered, we detailed for our customers 3 more vulnerabilities that had been fixed in that time frame that we didn’t discoverer (and where the discoverer hadn’t released a report), which are missing from WPScan’s data:

Based on all that, those that are using the WPScan Vulnerability Database’s data for free, are getting what they paid for, but when people are paying for access to that data, as they are with a paid service, WPScan.io, created by the people behind that database, they are getting intentionally ripped off.