Eight Months In, Really Simple SSL’s Plugin Vulnerability Data is Claiming That Unfixed Vulnerabilities Have Been Fixed
In May of last year, the 5+ million install WordPress plugin Really Simple SSL added a feature for detection of known vulnerabilities in WordPress plugins. That seems to be unrelated to what is supposed to be the focus on the plugin. A WP Tavern story about that provided an explanation from the developer on why that should be in this plugin:
“We figured that with our reach we could impact security on the web as a whole, by adding features in order of impact on security,” Hulsebos said. “So vulnerabilities, after hardening features specific to WordPress, was next.
The WP Tavern story also quoted them saying they were going to be improving the source of their data on a daily basis:
“The nature of our partnership with Javier and WP Vulnerability is sponsoring the efforts of WP Vulnerability and appointing a security consultant ourselves to this open-source effort to improve, and moderate the open-source database daily. WP Vulnerability does not compensate us, nor does it have a stake in Really Simple SSL. Vulnerability detection is available for everyone and always will be.”
While that quote refers to the data source being open-source, it is really just a data set of information copied from other providers. That isn’t going to work well, considering that those other providers often don’t actually verify their information. But maybe Really Simple SSL was going to do that?
Eight months in, the results are not good. Earlier this week we noted in a post, two examples of Wordfence incorrectly claiming that unfixed vulnerabilities in plugins were fixed. Really Simple SSL is also claiming both are fixed.
As we warned our customers on January 11, the developers of the 300,000+ install plugin PDF Invoices & Packing Slips for WooCommerce had attempted to fix a vulnerability in the latest release, but had failed to accomplish that. We got in touch with the developer and they are working on a fix. Despite it still existing, here is Really Simple SSL saying it has been fixed:
They are claiming it is high-risk, making the lack of warning of its unfixed nature more concerning.
The affected versions listed are also wrong. With only a small number of versions actually vulnerable.
The underlying source for their data, WP Vulnerability, is actually listing the vulnerability twice. Sourcing it separately from Wordfence and Patchstack, with both of them wrong in claiming it has been fixed.
On November 20, we warned our customers that the developers of the plugin Brave Conversion Engine had attempted to fix a vulnerability in the latest release, but had failed to accomplish that. After we got in touch with the developer, they released another incomplete fix. They still haven’t fully addressed the vulnerability. Again, Really Simple SSL is saying it has been fixed:
Who is listed as being affected is not correct either.
The publication date listed is over a month after we warned our customers.
The underlying source for their data, WP Vulnerability, is listing the vulnerability once this time, but with both Wordfence and Patchstack cited.
Verified Plugin Vulnerability Data Matters
It is very common for vulnerabilities to have not actually been fixed. Providing plugin vulnerability data that hasn’t been verified is unethical, as it provides a false sense of security to those using. Despite that, we appear to be the only provider who is actually verifying vulnerabilities before adding them to our data set.
As those two vulnerabilities show, even developers who have previously tried to address a vulnerability are not necessarily going to get the vulnerabilities fixed, either in a timely manner or even at all in some instances.
Plugin Security Scorecard Grade for Patchstack
Checked on March 5, 2025See issues causing the plugin to get less than A+ grade