A recent SecurityWeek headline claimed that a Ferrari website was put at risk by a WordPress plugin: “WordPress Plugin Vulnerability Exposed Ferrari Website to Hackers”. While a WordPress plugin was involved, it shouldn’t have been the focus of the headline. Instead, a failure by Ferrari to do basic security was the real cause of the issue.

The body of the story gets closer to the truth as it says that the vulnerable Ferrari website was “running a very old version” of the vulnerable plugin in question. How old? It doesn’t say. The closest it gets to that is mentioning a CVE id, CVE-2019-6715, which suggests this might be a vulnerability from 2019. The CVE record says that the vulnerability impacts versions “before 0.9.4”. Version 0.9.4 of the plugin was released on April 4, 2014. So Ferrari hadn’t updated the plugin in nine years.

You don’t need to be a security expert to understand that failing to update software on a website for nine years is a major security risk. Instead of someone simply logging in to WordPress and seeing that the plugin was really out of date, the source for SecurityWeek’s story went through a more complicated and costly method of penetration testing to identify that an outdated plugin was in use.

At the end of their post, they were promoting vulnerability assessments and penetration testing as being essential for addressing security risks:

Regular vulnerability assessments and penetration testing are essential for identifying and addressing security risks before they can be exploited by attackers.

As this situation shows, though, that isn’t essential or even necessary for addressing most security risks. Here you could have cut out that penetration testing and simply updated software, with the result being the same.

It can be worse than that. This penetration testing was relying on WPScan, which, as we have repeatedly noted, doesn’t provide accurate information on vulnerabilities. In January, an unfixed vulnerability was widely exploited in a plugin despite WPScan having claimed it had been fixed three months before (while inaccurately describing it).

As we noted in September, WPScan based penetration testing can be replaced with cheaper and better automated testing, which can run as often as hourly for a fraction of the cost of penetration testing.