As part of a very common theme when it comes to WordPress, we found that the developer of a security solution isn’t being honest. In this case, the developer of a security plugin is claiming it detects vulnerabilities in plugins even though it clearly doesn’t.

The plugin is Safe Sites and here are the relevant claims in the WordPress Plugin Directory listing for the plugin about checking for vulnerabilities:

• Plugin & Theme Security – Detect vulnerabilities in plugins and themes and receive alerts.

Plugin & Theme Security:

• Vulnerability Scanner – Check for known security flaws.

We were curious what source for the vulnerability data for this plugin was, so that we could add a warning to our Plugin Security Scorecard if it was a known unreliable source and the plugin’s developer wasn’t disclosing that.

When searching for code that would query a data source, we didn’t find any. That was explained by the code we did find. In the file /includes/Admin/RegisterAdmin.php is what should be the starting point of that code:

432
433
434

// 3. Check for known vulnerabilities
$vulnerability_check = $this->check_plugin_vulnerabilities($plugin_slug);
$safety_results['vulnerabilities'] = $vulnerability_check;

That would pass the slug of a plugin to the function check_plugin_vulnerabilities(). Here is the code for that function:

462
463
464
465
466
467
468
469
470
471
472
473
474

private function check_plugin_vulnerabilities($plugin_slug) {
	// Check against WPScan API or local vulnerability database
	$known_vulnerabilities = [];
 
	// Simulate vulnerability check (replace with actual API call)
	return [
		'status' => empty($known_vulnerabilities),
		'vulnerabilities' => $known_vulnerabilities,
		'message' => empty($known_vulnerabilities) 
			? 'No known vulnerabilities found' 
			: 'Known vulnerabilities detected'
	];
}

One of the comments tells the story “Simulate vulnerability check (replace with actual API call).” So the code is simply a placeholder that doesn’t actually do any checks.

Unfortunately, the people running the WordPress Plugin Directory don’t seem to care that security plugins, even extraordinarily popular ones, are dishonest about their capabilities.