WordPress, Automattic’s WPScan, Patchstack, and CVE Make Mess of Unfixed Vulnerability in WordPress Plugin
The two most recent support forum topics for the 30,000+ install WordPress plugin Kraken.io Image Optimizer are about a claimed security vulnerability in the latest version of the plugin:
One of them begins with this message:
iThemes is flagging this. Any patch coming? Or, what to do.
A follow up to this is:
Same problem on my end. When will a fix become available?
The other topic includes this message:
We have to disable the plugin until Kraken gets a proper update.
With an inaccurate response to that:
@rcarmichael it is my understanding that just HAVING a compromised plugin on a site (active or not) makes the site no longer safe from hackers.
Despite those public discussions that there is an unfixed vulnerability, the plugin is still available in the WordPress Plugin Directory:
So what has gone wrong there? It turns out a lot.
WordPress Failure
As anyone who has tried to engage in the WordPress Support Forum should be able to tell you, the moderators micromanage what goes on there, especially when it comes to any discussions about security. So WordPress certainly is aware of that their is a claimed vulnerability, but they haven’t taken action.
That is a common problem. Currently, we have data unfixed vulnerabilities in plugins still in the Plugin Directory with at least 7.93 million installs. So while you should be able to rely on WordPress to handle this type of situation, you can’t.
Automattic’s WPScan Claims There is a Vulnerability, But Also Claims it Doesn’t Know Anything About It
Half the four-person team that runs the Plugin Directory work directly for the head of WordPress, Matt Mullenweg, through Audrey Capital. While that team will sometimes remove plugins known to contain unfixed vulnerabilities, that team refuses to warn people about those unfixed vulnerabilities. In an obvious conflict of interest, Matt Mullenweg’s company Automattic sells access to fairly inaccurate data on unfixed vulnerabilities in WordPress plugins, through their WPScan service.
One of the companies they sell data to is iThemes, which was mentioned as being the source for the claim the plugin contains a vulnerability in one of the topics. As iThemes is just repeating WPScan’s claims, they don’t actually know if they are true, which is a problem, since WPScan often puts out inaccurate information.
WPScan is claiming they don’t actually know if there is a vulnerability here, as their listing states the issue is not verified:
They also don’t appear to have any idea what the vulnerability is, as they haven’t provided a proof of concept as they usually do, and the description is simply a description of what cross-site request forgery (CSRF) is:
The plugin does not have CSRF check in some places, which could allow attackers to make logged in users perform unwanted actions
Without more information, there isn’t any way for their customers, including iThemes, to confirm things for themselves.
The only reference that might contain more information is a CVE entry, CVE-2022-38454.
CVE’s Junk Data
The CVE is an entity that claims to catalogue vulnerabilities and claims it is funded by the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), which don’t appear to get their money’s worth. The entry for this claimed vulnerability contains obvious false information.
Their entry contains two CONFIRM references, which are supposed to be “URL to location where vendor confirms that the problem exists”. One of those links is to for the main page for the plugin on the WordPress Plugin Directory, https://wordpress.org/plugins/kraken-image-optimizer/. That doesn’t confirm the problem exists. The other links to an entry on another security provider’s website, Patchstack. There is no confirmation from the vendor that the problem exists on that page either.
The only information beyond the references provided is yet another vague description of the claimed issue:
Cross-Site Request Forgery (CSRF) vulnerability in Kraken.io Image Optimizer plugin <= 2.6.5 at WordPress.
So again, there isn’t the information needed to verify there is an issue.
Patchstack Provides No Details
CVE entry points to Patchstack entry and that appears to be the end of the trail, but with no additional information to work with to determine if there is a vulnerability.
Here is their entry:
The description indicates they are the original source, but again, provides no details:
Cross-Site Request Forgery (CSRF) vulnerability was discovered by Rasi Afeef (Patchstack Alliance) in the WordPress Kraken.io Image Optimizer plugin (versions <= 2.6.5).
Considering that Patchstack isn’t known for their accuracy, you can’t rely on their claims about vulnerabilities existing and being fixed. Despite that, Automattic’s WPScan and CVE have made their own listings, without doing basic due diligence or even having the information needed to do that.
There is no claim that Patchstack attempted to notify WordPress about there being an unfixed vulnerability in a plugin in their Plugin Directory. The same can be said for WPScan and CVE.
There Really is a Vulnerability
None of the customers of our service are currently using the plugin, so we didn’t take a look at the claim when it was first disclosed, but while preparing this post, we took a look and quickly confirmed that there is indeed a CSRF vulnerability. As detailed for our customers, it would allow an attacker to cause someone logged in to WordPress as Administrator to change the plugin’s settings. Is that what Patchstack was referring to? Who knows? It probably is, but they provided so little information we have no way of even knowing if they knew there was that type of vulnerability in the plugin. It is a rather common issue, so someone could claim there is one without knowing it and have a decent chance of being right.
This is a really minor vulnerability, so it isn’t much of a threat. Also, it would not be exploitable with the plugin deactivated, contrary to the forum reply we quoted near the beginning of this post.
We used to inform the team running the Plugin Directory when there were known, but unfixed vulnerabilities in plugin in the directory, but we suspended doing that because of their continued refusal to curb their inappropriate behavior. As this shows, there isn’t anyone else that has taken up the slack.
Plugin Security Scorecard Grade for Kraken.io Image Optimizer
Checked on March 24, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Patchstack
Checked on October 9, 2025See issues causing the plugin to get less than A+ grade