WPScan and Wordfence Intelligence Community Edition Providing Misleading Data on When Information Was Published
Trust is an important part of security, so it probably isn’t surprising that security is in such bad shape and that at the same time, security companies are so obviously dishonest so often. That is something we frequently run across in the WordPress security space, involving even the big name players. A couple of instances of that just came up involving vulnerability data provider presenting it as if they added information on vulnerabilities in a more timely manner than they really do.
WPScan
Automattic’s WPScan is claiming there is a known vulnerability in the latest version of WordPress. Though this would probably be better classified as a security issue. WPScan’s data says that the issue was “publicly published” and “added” two days ago:
There are two references provided:
But really only one, as the CVE entry comes from WPScan. The other entry, though, is dated from back in September:
But according to that entry, the issue was public even before that:
This issue was first reported about six years ago in January 2017 by another researcher and numerous others over the years. After our report and further investigation, we could also identify multiple public blog posts documenting the same behavior as the one we’ll be covering today.
Wordfence
Yesterday, we discussed the poor quality of a newly public vulnerability data set from Wordfence, Wordfence Intelligence Community Edition. That data set includes that security issue in WordPress with the date listed as yesterday:
On the details page, they list that date as when it was “publicly published”:
Presumably, then, that must mean that was when they published the listing, since it isn’t when the information was published.
But that brings in to question another entry shown above, “BeRocket Plugins <= (Various Versions) – Missing Authorization”, which is listed with the date of December 13.
On the page for that, it says it was “publicly published” on that date:
What is odd about that, is that we mentioned in our previous post that was missing from their data, as of yesterday. So were we mistaken? No. Here is a cached copy of the page from yesterday and you can see it wasn’t listed then:
By comparison, here is a listing for something they say was “publicly published” earlier this week:
What they link to are things from 2017, so it would again seem the “publicly published” date refers to when they added it.
So it appears they backdated the published date for the other entry to hide when they really added it, after we had noted they were missing it.