19 Jun

WPScan Vulnerability Database Is Misleading Users of Plugin With 200,000+ Installs About Its Security

We used to say that the WPScan Vulnerability Database was good source of data on vulnerabilities in WordPress plugin for the price, considering that it is low quality data, but accessible for free. Over time though the quality has gone further down and the people behind it seem to be unconcerned with the truth, with is kind of important when it comes to security.

For a reason that doesn’t make sense to us they refuse to credit us for vulnerabilities we find and instead belatedly add some of them citing another source. That creates an unneeded problems for those relying on their data, which could be leading to websites being hacked.

On Monday we disclosed that the plugin Facebook for WooCommerce, which has 200,000+ installs, has a general insecurity due to failure to protect against cross-site request forgery (CSRF) and we provided an example of a vulnerability caused by that.

The WPScan Vulnerability Database belated added a listing related to that today, they didn’t credit us, as usual:

They lied about the date it was publicly published (we say lied because they have repeatedly done that):

They also got the type of vulnerability wrong for the example vulnerability we discussed, as they refer to it as “CSRF allowing arbitrary Option Update”, except the options that can be updated are limited. That is rather important since that limits the risk and if you are dealing with a hacked website you could rule it out as the source if you knew that. We made that clear in our original report, so the inaccurate information may be due to them relying on a secondary source.

They list that it is fixed, which is true, but inaccurate, since the developers of the plugin only fixed the example vulnerability we provided of the larger security issue at hand, so the plugin is still insecure, which is probably something that people relying on WPScan’s data would want to know. If they had linked to our original report those relying on their data could have read that there was a larger issue, but since they don’t properly credit things, they can’t.

There is any easy way to avoid these problems is to use our service since we are focused on providing the best data for our customers, so we avoid unneeded problems.