Yesterday, we highlighted some of the problems we found when looking at the data on plugin vulnerabilities coming from Wordfence’s new Wordfence Intelligence Community Edition. That is data they were previously trying to sell access to as part of something called Wordfence Intelligence and now are providing for free. We thought to check on another recent situation and found yet another serious problem, but not an all that surprising one, considering the generally poor quality of data on WordPress plugin vulnerabilities.

On October 21, the developer of the plugin Image Hover Effects introduced a change to a plugin with the commit message “fixed Vulnerability issue”. As at least one of our customers used that plugin, we checked over that and found that the plugin contained a serious vulnerability related to the change made, which hadn’t been fixed. That vulnerability would allow anyone logged in to WordPress to cause malicious JavaScript code to run on the website. We warned our customers and contacted the developer of the plugin about that the next day. The developer responded at the end of the month, saying that they were working to address that, but it still hasn’t been addressed.

On November 16, another data provider, Automattic’s WPScan, warned about what appeared to be a different issue, which wasn’t even really a vulnerability, as an attacker would already need to be logged in to WordPress as an Administrator. They were holding back the proof of concept, so we and everyone else couldn’t double check their claims there. Once the proof of concept was released, we could see that they were referring to the same issue, but had not verified the information, leading them to make it sound like this wasn’t really even a vulnerability. That runs counter to their claim to “figure out what kind of privilege is required to successfully exploit the issue”.

The situation also runs counter to their claims that you will “be the first to know about vulnerabilities affecting your WordPress installation, plugins” when using their service, that they have a “dedicated team of WordPress security experts”, and that they are “continually monitoring the web for new vulnerabilities”.

It isn’t a secret that their data isn’t accurate, so anyone adding information from their data set should check over everything themselves, as we do. Wordfence doesn’t (they are not alone in that). Here is their entry for that vulnerability:

The description matches what WPScan claimed, despite it being wrong:

The Image Hover Effects plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters on the settings page in versions up to, and including, 5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

When Wordfence was promoting their data set for sale, they marketed it as being “actively maintained by some of the top WordPress vulnerability researchers in the industry”, which is hard to square with the reality of what is actually in the data set.