In trying to improve security one of the things that is a big impediment is the shear amount of misleading and false information out there, which gets in the way of addressing what actually needs to be addressed to fix the problems with security. A lot of that comes from security journalists repeating claims made by security companies that are not accurate, instead of the journalists realizing that they are indications that security companies don’t understand things they should. In Bleeping Computer’s coverage of a vulnerability in the plugin WP Live Chat Support (which is only one of multiple in it), discovered by Sucuri, they state this:
Without having to authenticate on the target website, hackers can automate their attacks to cover a larger number of victims.
While vulnerabilities that require authentication to exploit are going to have less chance of exploitation since it is probable that the vast majority of WordPress websites do not allow untrusted individuals access to an account, an authentication requirement doesn’t stop automated attacks. If they did, why would account registration pages on many website require CAPTCHAs. We are not saying that in a theoretical sense, from the outside it seems that hackers have had the capability to automate trying to register for a WordPress account and if they can, then exploit vulnerabilities, for years.
The author of Bleeping Computer didn’t think that up incorrect claim, instead they are just repeating Sucuri’s claim:
Unauthenticated attacks are very serious because they can be automated, making it easy for hackers to mount successful, widespread attacks against vulnerable websites.
Sucuri is a company that is supposed to be protecting websites from being hacked, so it seems like they should know that isn’t correct. That seems like something a security journalist might want to question them about, though it would be far from the only thing they might want to ask Sucuri about.