Wordfence and WPScan Falsely Claim Closed WordPress Plugin Contains Serious Vulnerability
We are currently looking in to yet another problem with handling of security by Awesome Motive and the Security Reviewer from the WordPress Plugin Review Team. In doing that, we ran across another example of the incredible sloppy work done by prominent providers of data on vulnerabilities in WordPress plugins.
In January, the WordPress plugin SimpleMap Store Locator was closed on the WordPress Plugin Directory for an unspecified “security issue.”
Looking around, we found that WPScan, which is owned by Matt Mullenweg’s Automattic, was claiming shortly after that there had been an Unauthenticated Stored Cross-Site Scripting vulnerability, which had information publicly published about it shortly after that. If that issue really existed, that would be a very serious issue, likely to be exploited unless there was something that limited access to the vulnerability.
They presented no evidence to back that up. You would expect either a proof of concept or the details of the relevant code, but they are missing. They did provide two references. One was to the exact same claim from Wordfence.
It is exactly the same down to the text of WPScan’s description being copied from Wordfence, which probably isn’t legal.
Like WPScan, Wordfence presents no evidence to back that up.
Wordfence, is in, turn citing Patchstack as their source. Patchstack is making an unclear claim, which is that there was a Cross Site Scripting (XSS) vulnerability without specify which kind it is. They also claimed that the vulnerability is “expected to become exploited.”
Patchstack provides no evidence to check what is actually supposed to be at issue.
Going back to WPScan’s second reference, there is a very different claim. A CVE entry states that there is Reflected XSS vulnerability in the plugin. That is vastly less concerning, as that type of vulnerability is highly unlikely to be exploited. There still isn’t any evidence to support even that claim in the CVE entry, though.
So you have WPScan copying inaccurate information from Wordfence that they inaccurately copied from Patchstack. That happened two months after the CEO of Wordfence, Mark Maunder, claimed that their data was “impeccable:”
Our data is impeccable. Our competitors do a pretty darn good job too. As do the many researchers contributing their time to create the data that populates these vulnerability databases.
Not only is it not true that their data is impeccable, they couldn’t even know that, as they clearly are not vetting the information they are copying from other providers. And the competitors doing “a pretty darn good job too” are in reality often simply copying Wordfence’s information or someone else’s.
Plugin Security Scorecard Grade for Patchstack
Checked on March 5, 2025See issues causing the plugin to get less than A+ grade