The Security Ninja WordPress Plugin Isn’t Going to Provide You Accurate Information on WordPress Plugin Vulnerabilities
While the security industry doesn’t currently have a well-functioning market, so you don’t have companies actually competing to provide better services (instead companies largely compete on who can tell the best lies, which produces the expected poor results), we actually continue to look at how we are doing versus other sources, so we can provide our customers the best services possible. We recently ran across the Security Ninja plugin promoting that it will check for WordPress plugin vulnerabilities and wanted to see how things stacked up.
According to them the get their data from National Vulnerability Database – NVD:
The vulnerability scanner uses data from the National Vulnerability Database – NVD
Unlike another instance where we had seen a company claiming to use that or the related CVE data despite not doing that, this time that is the actual source, though the only data provided is what you would get is from CVE. The NVD includes additional data over CVE, but they are not including any of that.
So what is problem with that? Well as we noted just yesterday, that source doesn’t involve even doing basic due diligence in at least some stances, as can be seen with a situation where a WordPress plugin 100,000+ installs was claimed to have fixed a vulnerability, despite there not even being any possible change in that version that could have fixed a vulnerability. Checking on that would have taken just a few seconds. As expected Security Ninja is telling those using the plugin to update to the version that doesn’t fix a vulnerability:
In fact the vulnerability that looks to be at issue is currently unfixed.
Telling you a vulnerability has been fixed, when it hasn’t, is of limited use. With a source like this, if you actually want to know if you are protected you would need to test things out for yourself, assuming are even provided with enough information to do that, or you could just use our service where we have already done that for you.