On Wednesday of last week, we posted that WordPress’ latest canonical plugin WPGraphQL contained a vulnerability because the developer had failed to update a third-party library included in the plugin in 18 months. We contacted the developer to alert them of that earlier the same day. We have yet to hear back from them and the plugin, as well as two other plugins from the same developer with the same issue, has yet to have a new version released to fix the vulnerability. We asked WordPress if they were going to take over the plugin like they did Advance Custom Fields to address that. We haven’t received any response.

Our customers have been warned about that vulnerability, but those relying on other providers for WordPress plugin vulnerability data are still in the dark. Those getting data from provider other than us are almost always ultimately getting it from one of three providers. One is owned by Automattic, which is the new employer of the developer of WPGraphQL. That provider, WPScan, isn’t warning about this:

Neither is Wordfence:

Or Patchstack:

---

Plugin Security Scorecard Grade for Patchstack

Checked on March 5, 2025

See issues causing the plugin to get less than A+ grade

---

Plugin Security Scorecard Grade for WPScan

Checked on April 12, 2025

See issues causing the plugin to get less than A+ grade