16 Jan

Defender Pro WordPress Plugin Flags Harmless Code in Plugin While Missing Actual Vulnerability

The most recent version of the plugin WP-Stateless was flagged by monitoring we do for a couple of reasons and in looking at those we yet another reminder of the better results caused by us doing the work that other in the security space don’t do, which leaves their customers at a large disadvantage (and if [Read more]

11 Jan

The Mess that is Imperva’s Claim That WordPress Vulnerabilities Tripled in 2018

A good rule of thumb based on what we have seen over the years is that stats on security are probably not accurate. So it isn’t surprising that when we looked into a claim by a company named Imperva that WordPress vulnerabilities tripled in 2018, it was a mess, but that hasn’t stopped security journalists [Read more]

17 Dec

WordPress Plugin Directory Team Close Plugin Due to Fake Vulnerability Report

When it comes to inappropriate behavior of the moderators of the WordPress Support forum that has lead to us full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, that inappropriate behavior often has the impact of covering up problems created by those on the WordPress side of things. Whether they are intending to [Read more]

13 Dec

The Strange Behavior of Moderators of the WordPress Support Continues With Response to Our Protest

When it comes to the inappropriate behavior on the part of the moderators of the WordPress Support Forum that lead to us full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up one thing that stands out is how strange so much of it is. If the moderators were, say, being paid off to delete [Read more]

12 Dec

WordPress Team Stops Warning To Developer of Vulnerability in Plugin While Probing For Usage of the Plugin Has Already Begun

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up and only trying to notify the developer through the WordPress Support Forum. That creates more of a problem if the vulnerabilities are likely to be exploited, like the arbitrary file viewing vulnerability we disclosed yesterday [Read more]

10 Dec

WPScan Vulnerability Database Weeks Behind in Warning About Exploited Vulnerability in WordPress Plugin

On Friday we noted that during the month of November we not only added many more new vulnerabilities in WordPress plugins to our data set than the widely used WPScan Vulnerability Database (50 to 11), but we actually disclosed more vulnerabilities ourselves than they added in total during the month (21 to 11). Considering that [Read more]

07 Dec

WordPress Support Forum Moderator Thinks Hiding Security Issues is a Bad and Good at the Same Time

When it comes to the mess that is the moderation of the WordPress Support Forum a central problem is the moderators seem to be unwilling to allow people to discuss things that disagree with their beliefs. So for example last week we mentioned how at first replies were deleted and then a whole topic closed [Read more]

30 Nov

Samuel “Otto” Wood Keeps Making it Seem Like He Wants WordPress Websites to Be Unnecessarily Hacked

On October 29th we detailed a vulnerability that had been fixed in the plugin AMP for WP – Accelerated Mobile Pages and started warning our customers if they were using a vulnerable version. What made this problematic was that while there was a fixed version available, since the plugin was closed, people could not use [Read more]