Despite Having “Impeccable” WordPress Plugin Vulnerability Data, Wordfence Deletes False Claim of Unfixed Vulnerability in Gutenberg
Recently the CEO of Wordfence, Mark Maunder, responded to us noting that Wordfence’s data on WordPress plugin vulnerabilities is “often quite inaccurate and not a reliable source” by saying that their “data is impeccable.” To claim that their data is flawless is quite a statement to make. It would be one thing to say that they are trying to provide the best data or doing their best, but flawless is something else. They also claimed that we were a “well known industry troll” and “contribute nothing beyond vitriol.” So who was right there?
Last week, we discussed a strange situation where someone had claimed that there was a vulnerability in WordPress; it was explained to them by the WordPress security team that there wasn’t a vulnerability, but Wordfence and others were now claiming that there was a vulnerability in the Gutengberg plugin, but not WordPress. If the issue described was a vulnerability, it certainly is in WordPress. But as we mentioned, and the WordPress security team had said before, it wasn’t a vulnerability. Wordfence’s claim was causing a fair bit of concern for those using both that plugin and Wordfence’s plugin.
If you are to click on the link to Wordfence’s claim in that post now, you now get presented a page not found message:
What is going on? Over on Github issue discussing the larger issue of this false claim of a vulnerability in Gutenberg, a Wordfence employee wrote, “We (Wordfence) have removed this entry from our records.” And said, “If you’re using any of our software, you shouldn’t be alerted about this anymore.” There was no acknowledgement that they had got anything wrong there. But why else would they delete that?
Similarly, by simply wiping this out, they are not acknowledging that they got this wrong. Instead, they are simply disappearing the false claim.
So clearly the data isn’t flawless. If this were a one-off issue, it might not be a big deal, but we have repeatedly run across inaccuracy in their data set, since they created it last year, and the problems it is causing for others. As can be seen here, instead of acknowledging Wordfence has problems, their CEO and others with the company repeatedly lie about what is going on and attack others for noting the problems.
What would be a big help would be for WordPress to start warning the community about Wordfence’s inaccurate data, as it is causing a lot of completely avoidable headaches for the users and developers of plugins.