AI has gotten a lot of attention for what it might mean for security, as well just about everything else. We were curious to see how an AI chatbot would handle processing public information about the security of WordPress plugins and if it would correctly warn that a plugin was known to be vulnerable. Our quick test involved Microsoft Copilot, which is accessible through Microsoft’s Bing search engine. We asked if the TablePress plugin was vulnerable. A web search could pull up our security scorecard for the plugin, which notes that, as of when it was checked in August, it was known to be vulnerable.

The results, which can be seen in full below, were interesting and not exactly surprising to anyone who takes a poor view of AI chatbots. In the four question conversation (that was a limit set by Microsoft), Copilot identified two different vulnerabilities as being the latest vulnerability in the plugin. It cited what doesn’t appear to be a reliable source for part of that. It also seems possible that the cited source is itself AI generated. The most problematic part of the response was the BS. It claimed a vulnerability had existed in version 2.3.1 of the plugin and been fixed in the next version, 2.3.2. Its next response claimed the vulnerability had existed in version 2.4.1 of the plugin and been fixed in the next version, 2.4.2. The cited source matched the first set of versions mentioned.

Ultimately, it didn’t warn the plugin was still known to be vulnerable. So an AI Chatbot won’t replace rely on a reliable data source to warn about vulnerable plugins. But considering the widespread use of unreliable sources and security providers’ unwillingness to disclose the sources they use are not reliable, an AI Chatbot might not be providing worse information than many people are getting now.

Conversation

Us:

Is the TablePress plugin for WordPress vulnerable?

Microsoft Copilot:

Yes, the TablePress plugin for WordPress has had some vulnerabilities. The most recent one, identified as CVE-2024-23825, involves a Server-Side Request Forgery (SSRF) vulnerability. This issue allows attackers to send requests to unintended network locations, potentially exposing internal data, including credentials, especially in cloud environments¹. This vulnerability has been fixed in version 2.2.5¹.

If you’re using TablePress, it’s crucial to update to the latest version to ensure your site remains secure. Do you need help with updating the plugin or have any other questions about WordPress security?

Us:

Is the TablePress plugin for WordPress currently vulnerable?

Micrsosoft Copilot:

As of now, the TablePress plugin for WordPress is not known to have any current vulnerabilities. The most recent issue, a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2024-23825, has been addressed in version 2.2.5.

To ensure your site remains secure, it’s always a good practice to keep all plugins updated to their latest versions. If you need assistance with updating TablePress or have any other questions about WordPress security, feel free to ask!

Us:

This says that it is currently vulnerable https://www.pluginvulnerabilities.com/plugin-security-scorecard/?slug=tablepress . Is that not correct?

Microsoft Copilot:

Thank you for pointing that out. It appears there is a more recent vulnerability affecting the TablePress plugin. The latest issue, identified as CVE-2024-4354, involves a Server-Side Request Forgery (SSRF) vulnerability that affects versions up to and including 2.3.1¹. This vulnerability allows authenticated attackers with author-level access and above to exploit the plugin¹.

To address this, the developers have released a patch in version 2.3.2¹. If you’re using TablePress, I recommend updating to the latest version to ensure your site remains secure.

Do you need any help with updating the plugin or have any other questions about WordPress security?

Us:

That page says that version is 2.4.1 is vulnerable, though.

Microsoft Copilot:

Thank you for pointing that out. It seems there is indeed a more recent vulnerability affecting TablePress. The latest issue, identified as CVE-2024-4354, involves a Server-Side Request Forgery (SSRF) vulnerability that affects versions up to and including 2.4.1¹. This vulnerability allows authenticated attackers with author-level access and above to exploit the plugin¹.

To address this, the developers have released a patch in version 2.4.2¹. If you’re using TablePress, I recommend updating to the latest version to ensure your site remains secure.

Do you need any help with updating the plugin or have any other questions about WordPress security?