A Month Later, Other WordPress Plugin Vulnerability Data Providers Still Not Warning About Hacker Targeted Plugin With Unfixed Vulnerability
Earlier this week we mentioned that we had warned our customers about easily exploitable vulnerabilities in a WordPress plugin with 400,000+ installs nearly a month before other data providers did. But in that situation they at least were warning before we saw hackers probing for usage of the plugin. With another plugin recently targeted by hackers the situation is worse.
On May 26 we saw what look to be a hacker probing for usage of the WordPress plugin Modern Events Calendar Lite on our website. While there were older vulnerabilities that had been in plugin that might explain a hacker’s interest in that plugin, we checked over the plugin to see if there might be a vulnerability in the current version of the plugin that they could be targeting. Here is what we said at the time about what we found:
When we started to do that, we found not only a lot of code that looked insecure, but multiple vulnerabilities. It doesn’t look like past vulnerabilities have led to the developer securing the code, so we would recommend anyone using it, stop using it.
It’s now been over a month since that and the plugin remains vulnerable and remains in the WordPress plugin directory.
Those using our service and the plugin, were warned about the situation on the same day, May 26.
For those not using our service, the same can’t be said.
Recently we noted that the WordPress focused web host Pagely, had missed this, despite marketing themselves with the claim that “no one takes WordPress security more seriously than” them.
Another data provider, WPScan, markets themselves with this claim on their homepage:
Be the first to know about vulnerabilities affecting your WordPress website
Over a month after we warned about this situation, though, they still haven’t:
Part of that isn’t too surprising since, despite how they market themselves, they intentionally don’t warn people about vulnerabilities we have discovered, unless they can credit someone else for it (the reason they don’t, make even less sense than not warning about them). But even if they are excluding things that we find, they should have detected this going on, on their own, but they didn’t. If they are not doing that type of work, then they are not even trying to live up to how they market themselves.
The same lack of warning also holds true for Patchstack:
Plugin Security Scorecard Grade for Patchstack
Checked on March 5, 2025See issues causing the plugin to get less than A+ grade