In reviewing reports of vulnerabilities in WordPress plugin to add to the data set for our service we have seen that the quality of those reports can be quite bad. From inaccurate data on vulnerabilities, including claims that a vulnerability has been fixed when it hasn’t, to what look to be intentionally fake reports of vulnerabilities, we seen it. The end result of us reviewing the reports is that we our able to provide our customers with a higher quality data, without the falsely labeling unfixed vulnerabilities as being fixed or including fake vulnerabilities, than the other data sources for plugin vulnerabilities out there, since they don’t actually review the vulnerabilities.

One of the reasons for the low quality reports is that people putting out vulnerability reports are not always concerned with being truthful and we saw a good example of that yesterday. Over at the 0day.today Inj3ct0r Exploit Database two vulnerability reports in WordPress plugins were added yesterday, one in the plugin Bliss Gallery and the other in Catpro Gallery.  We put out reports about those vulnerabilities back in June (the Bliss Gallery report is here and Catpro Gallery is here), so if you were using our service you would have been notified if you were using a vulnerable version of them back then. While it is certainly possible that someone else could have independently spotted these vulnerabilities, in this case the reports are just wholesale copies of content from out posts, without any attempt to hide that. They are not labeled as such though, instead the supposed author is “Thex@b1_Ma”, who lists their “Team” in the reports as the “Islamic State Army”. [Read more]

One of the important things we do when collecting vulnerability data in WordPress plugins for our customers is that we test out each vulnerability. That allows our customers to know what versions of the plugins are vulnerable, which can be rather important when dealing with a hacked websites, since it could be that an outdated version in use is not actually vulnerable since the vulnerability only existed in newer versions (vulnerabilities can exists in as little as a single version). It also allows us to identify when vulnerabilities have not actually been fixed, other similar service don’t do the same so you are left thinking you are protected against the vulnerability when you are still vulnerable. It also means that we don’t include false reports of vulnerabilities in our data set.

From dealing with plenty of hacked WordPress websites over the years we know the pain of digging through the vulnerability reports out there to try to identify the source of hacking, when the logging needed to most accurately identity the source of the hack is not available. Sometimes it is rather obvious that a vulnerability report you are looking at is false, other times it isn’t easy. While looking at a report of a serious vulnerability in the WP-DownloadManager plugin the other day we noticed that a websites that aggregates vulnerability reports, the 0day.today Inj3ct0r Exploit Database, is falsely labeling false reports of vulnerability as being verified to work. [Read more]