Among the many lies told by the company behind the very popular WordPress security plugin Wordfence Security, Defiant, one that really stands out to us personally is a lie they told that relates to something that as far as we are aware we uniquely do when it comes to collecting data on vulnerabilities in WordPress plugins. In response to a complaint about the data they use in trying to tell people if an update to a plugin is a security update they claimed to rely on “confirmed/validated” data for that. In truth their source, the WPScan Vulnerability Database, explicitly notes that they haven’t verified the vulnerabilities in their data set. As far as we are aware we are the only ones that actually do the work it takes to confirm and validate vulnerabilities, which provides our customer with higher quality data and doesn’t leave them unaware that vulnerabilities haven’t actually been fixed. We recently ran across an instance of where the WPScan Vulnerability Database clearly didn’t do that work, where we had at first thought that maybe we had missed something that we should have noticed.
A week ago we put out a Vulnerability Details posts with the details of a vulnerability in the plugin AMP for WP – Accelerated Mobile Pages, which had been closed on the Plugin Directory recently, so if you were already customer of our service and using that plugin you would have been warned about that particular issue, as well as the general poor security of the most recently released version of the plugin. It looks like hackers are aware of that as well now, as yesterday we had a series of requests requesting files from the plugin that looked to be probing for usage of it:
This post provides the details of a vulnerability in the WordPress plugin AMP for WP – Accelerated Mobile Pages not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to customers of that service. If you are not currently a customer, you can sign up for free here and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.