iThemes Security Pro is Providing Customers Inaccurate Information on Vulnerabilities in WordPress Plugins
A reoccurring issue we see with information on vulnerabilities in WordPress plugins is that inaccurate information is being provided to webmaster’s and then the sources of that inaccurate information are not the ones having to deal with the fallout of that. Take this recent forum topic for the plugin Advanced Contact Form 7 DB (Advanced CF7 DB) , which included a message coming from the paid iThemes Security Pro service claiming that there was a “known” vulnerability in the latest version of the plugin, version 1.9.1. Here is the message:
SEPT 30: Known issues in Advanced Contact form 7 DB v1.9.1
Vulnerabilities
Advanced Contact form 7 DB <= 1.8.7 – Unauthenticated Stored Cross-Site Scripting
No Known FixTimeline
Publicly Published 2022-04-21
Reported 2022-05-29
Last Updated 2022-05-29Additional Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29408
Instead of iThemes having to address that, the poster was asking the developer of the plugin about it:
Is this a false positive or does the issue persist?
Someone followed up with this:
I upvote this, I keep getting alerts for this vulnerability.
Any news to provide about it?
Just based on the information provided by iThemes, it is possible to say that they don’t actually know if there still is a vulnerability. As their listing states that the information was last updated in May. Three versions of the plugin have been released since then, with the oldest of those updates, version 1.8.8, released in June. It would be very easy for them to have avoided this by not warning about a version they don’t know is vulnerable or promptly checking when a new version has been released to see if it addresses the issue, both of which at least one other provider does.
In iThemes case, though, they don’t actually have any idea if there even was a vulnerability, as they don’t generate their own data. Instead, they use unreliable data from Automattic’s WPScan.
Looking at WPScan’s data on this claimed vulnerability, it turns out iThemes left out important details, as WPScan says they haven’t verified the vulnerability:
If you knew enough to get from iThemes message to WPScan, which most people probably wouldn’t, it doesn’t help you to check on this. As they don’t provide a proof of concept or code explaining what the vulnerability is supposed to be, instead all you are told is:
The plugin does not sanitise and escape a parameter from its form, which could lead to an unauthenticated Stored Cross-Site Scripting issue
What WPScan doesn’t note is that the original source for their claim of a vulnerability is from a competitor named Patchstack. Looking at Patchstack’s listing, they are claiming that the vulnerability was fixed in version 1.8.8:
Though if you want to confirm that, since Patchstack’s claims about vulnerabilities are not reliable, you are again not provided the information needed to do that, as these are the details they provide:
Persistent Cross-Site Scripting (XSS) vulnerability discovered in Advanced Contact form 7 DB plugin (versions <= 1.8.7) by BEE-K.
With the dearth of information, we can’t say for sure what is going on with the claims made by those companies, but there was a vulnerability fixed in version 1.8.8 of the type that was claimed to have existed in the plugin.
Avoiding Inaccurate Information on Plugin Vulnerabilities
If you are going to be paying for access to information on vulnerabilities in WordPress plugins, there is no reason to get inaccurate information like this. The provider should properly vet things before alerting you and they should be directing you to contact them with any questions, instead of passing you off to a plugin developer who had nothing to do with the inaccurate information.
Plugin Security Scorecard Grade for Advanced Contact form 7 DB
Checked on September 5, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Patchstack
Checked on March 5, 2025See issues causing the plugin to get less than A+ grade