Among the many lies told by the company behind the very popular WordPress security plugin Wordfence Security, Defiant, one that really stands out to us personally is a lie they told that relates to something that as far as we are aware we uniquely do when it comes to collecting data on vulnerabilities in WordPress plugins. In response to a complaint about the data they use in trying to tell people if an update to a plugin is a security update they claimed to rely on “confirmed/validated” data for that. In truth their source, the WPScan Vulnerability Database, explicitly notes that they haven’t verified the vulnerabilities in their data set. As far as we are aware we are the only ones that actually do the work it takes to confirm and validate vulnerabilities, which provides our customer with higher quality data and doesn’t leave them unaware that vulnerabilities haven’t actually been fixed. We recently ran across an instance of where the WPScan Vulnerability Database clearly didn’t do that work, where we had at first thought that maybe we had missed something that we should have noticed.

Back on October 29 we wrote a post detailing an authenticated persistent cross-site scripting (XSS) vulnerability in the plugin AMP for WP – Accelerated Mobile Pages, which had been fixed, but the plugin was closed on the Plugin Directory, so it wouldn’t have been easy to update to a fixed version (though we were available to help our customer do that). Then on November 5 we noted that hackers look to have already started probing for usage of the plugin, which was a concern since the plugin still had not been restored to the Plugin Directory. [Read more]