To help our customers better understand the risk posed by a vulnerability in a WordPress plugin, we provide a rating of how likely the vulnerability is to be exploited in our data set.  As we noted again just yesterday, an alternative metric, severity scores are not really a meaningful metric when looking at vulnerabilities in WordPress plugins. That hasn’t stopped other security providers from promoting those, despite them being misleading. In most cases we can’t say for sure that they are aware of that misleading element and that they are contributing to the problematic use of them, but in the case of Wordfence we can say they know that, as here were there comments in a blog post in regards to the most popular severity scoring system, CVSS, last week:

As such, and despite the CVSS score of this vulnerability only being a 6.5, it could be used to take over a site either via obtaining database credentials or by executing JavaScript in an administrator’s browser session.

Although the CVSS score of this vulnerability is significantly higher than that of the previous vulnerability, it is much less likely to be exploited in the real world due to the presence of an .htaccess file in the downloads directory making it difficult to execute any uploaded files.

These vulnerabilities are an excellent example of why analysts look at the mechanism of each vulnerability in order to judge potential impact, as the CVSS score rarely tells the whole story.

The point of a CVSS score, or a score from a similiar severity score system, is supposed to be to indicate the impact and to indicate the severity relative to other vulnerabilities:

Its outputs include numerical scores indicating the severity of a vulnerability relative to other vulnerabilities.

That wasn’t in a post where they were explaining why they haven’t engaged in usage of those misleading severity scores or apologized for using them, instead even as they admitted to their misleading nature, they continued to use them in that very post. What do you even say in response to someone admitting they are providing misleading information and yet continuing to do it?