WPScan Still Isn’t Making Sure That “Fixed” WordPress Plugin Vulnerabilities Have Actually Been Fixed
WordPress plugin developers are not always great about actually fixing vulnerabilities in their plugins. That problem is on display with the 300,000+ install plugin PDF Invoices & Packing Slips for WooCommerce. As we warned our customers on January 11, the developer had attempted to fix a vulnerability in the latest version, but had failed to accomplish that. We had also notified the developer of that problem and they prepared a fix the next day. The fix has yet to be released, though.
That sort of problem makes having accurate data about vulnerabilities in WordPress plugins important. That often isn’t what you get from data providers. Take WPScan, which markets itself on its homepage as being “like having your own team of WordPress security experts.” On January 20, they told their customers about this vulnerability and said it was a high severity vulnerability. The big problem with their information is that they said it was fixed:
What they also said is they hadn’t verified this:
What? That hardly seems like what a team of security experts would do, considering that it is a common problem for developers to fix vulnerabilities.
What happened here is that WPScan copied the inaccurate claim this had been fixed from another source, instead of doing their own work. Just to make things a bit odder, they copied the data from one source, Wordfence, but attributed it to another, Patchstack. Their description of the issue is directly lifted from Wordfence and their listed publicly published date is Wordfence, not Patchsatck published, making it obvious that is the source.
Another issue here is that on their homepage, right after the team of experts claim, they say that you will “Be the first to know about vulnerabilities affecting your WordPress installation, plugins, and themes” with their service. According to their own data, information on this vulnerability was published 8 days before they added it:
Being first isn’t always best, but claiming that you are first when you know you are not, and getting things wrong even with extra time, seems like it should be a big problem.