Last week we noted how the WordPress security provider Wordfence was criticizing another provider of WordPress plugin vulnerability data for doing something they also do. That situation involved them mislabeling a security issue as a vulnerability in the very popular Contact Form 7 plugin. But another piece of that contradicts yet another claim they make.

While marketing their data, they make this claim:

The database is actively maintained by a team of highly credentialed and industry-leading vulnerability researchers and analysts with dozens of vulnerabilities added per week.

As usual, Wordfence makes really impressive sounding claims. As was the case with their claim to provide another industry-leader, the actual results fall short of that.

The aforementioned security issue they incorrectly claimed was a vulnerability, involved code that allows files with arbitrary file extensions to be uploaded. The resolution limited the file extensions that can be uploaded. Yet, Wordfence wrote this:

However, in some cases, other plugins may make it possible for the file to live on the server longer. This can make remote code execution possible when combined with another vulnerability, such as local file inclusion.

If you can upload files to a website and there is a local file inclusion vulnerability, then you can cause remote code execution to occur even if you limit what file extension can be uploaded. As that type of vulnerability allows code in a file to be run. The file extension doesn’t even come in to play. As the new version of the plugin doesn’t remove the file upload capability, only restrict what extensions can be uploaded. If this was a vulnerability, it still exists.

This isn’t an obscure issue. Local file inclusion is a well-known type of vulnerability, something that a group of highly credentialed and industry-leading vulnerability researchers and analysts should understand. And yet they at least pretended to not understand that.