23 May

WPScan Vulnerability Database Lacks Data on Majority of Vulnerabilities We Saw Exploit Attempts For a Week Ago

In a previous post today we noted how our service can be useful for figuring out how WordPress websites have been hacked. It obviously would be better to avoid being hacked in the first place and our service also helps with that, but there are limits to that. If hackers are the first to find vulnerabilities then we are going to only be able to notify our customers after that, though we may be able to notify them before the vulnerability can be exploited on their particular websites. With other data sources, the results of even being able to provide information after the fact is limited, as can be seen with the very popular, despite being of rather poor quality, WPScan Vulnerability Database.

Last Thursday we saw what looked to be hackers probing for usage of five plugin on our website. Two of them had recently disclosed persistent cross-site scripting (XSS) vulnerabilities discovered by Sucuri, which likely was what led to hackers probing to see if websites were using the plugins. Even now WPScan’s data is missing one of those vulnerabilities (or a still unfixed vulnerability in the same plugin), for the other they added it on Friday:

Which isn’t a great response time for a vulnerability that was very likely to have exploit attempts.

For the other three, after seeing the hackers probing, we went looking to see what vulnerabilities the hackers might be interested in exploiting. There wasn’t anything previously disclosed that looked like it could be what was of interest to them, so we checked over the code and functionality of the plugins. We then released posts later on Thursday warning about persistent cross-site scripting (XSS) we found when we did that, which might have been what hackers were looking to exploit. Considering that in addition to being a competing data source, we are the largest discoverer and discloser of vulnerabilities these days, you would expect those vulnerabilities to be quickly added to WPScan’s data, but that wasn’t the case.

Two of the vulnerabilities have not been included so far and both of those haven’t been fixed, so not warning about them is leaving people open to be hacked even if they are keeping their plugins up to date. Considering that is just the sort of situation this type o data is most useful for, that is a big issue.

For the third, they only added it on Tuesday. When doing that they claimed that the vulnerability was disclosed on Friday, which isn’t accurate:

And they didn’t credit us for the discovery, which might have to do with having to acknowledge there is another data source out there, which is being proactive in keeping up with vulnerabilities hackers are looking to exploit: