One of the things we do to be able to provide customers of our service with the best information about known vulnerabilities in WordPress plugins is by monitoring the WordPress Support Forum for possibly relevant topics. Along with the information we are looking for, we often see people who have gotten incomplete and or inaccurate information from other security providers that are cutting corners. Once recent example involved a service named WP Sec. A user of the service wrote this to the developer of a plugin:

It says that the plugin has a security problem.
Did you know it?

The developer responded this way:

Yes, we know this. But this is only valid for Versions < 2.1.1 – as it is also mentioned in the report.

Please make sure to use the current version (2.3.0)

Thanks!

In reality, there wasn’t really a vulnerability in the plugin. There are a lot of false reports in the data that WP Sec relies on, WPScan (which is part of Automattic). It would appear that WP Sec doesn’t care if they are providing accurate information to their users, which is unfortunately all too common. But even if there really had been a vulnerability, it wasn’t a risk to this website, as the original poster wrote back:

Yes, I’m using the latest version. thanks for your reply.

WP Sec should have checked if an impacted version was in use, but they didn’t. With our service, we do that. Other services don’t. At best, they check if a version newer than the version the vulnerability was claimed to be fixed in is in use. Oftentimes it is obvious they haven’t checked on that, as they are claiming the vulnerability was fixed in a version that it wasn’t (either it was fixed in another version or hasn’t been fixed!). They also don’t check which earlier versions were impacted, so they tell their users that earlier versions that were not impacted are vulnerable. Instead, WP Sec showed these scary warnings to their user:

You can sign up for a free trial for our service to see if your website is currently using WordPress plugins known be vulnerable.