17 May

Did Checkmarx Make Up Claimed High-Risk Vulnerabilities in Top WordPress e-Commerce Plugins?

Security journalism has been in rather bad shape for years, but at times it manages to be worse than others.

When it comes to coverage of WordPress what was a fairly popular line of stories years ago was to repeat claims by security companies that they had found a bunch of websites that had the same hack that were all running a certain outdated version of WordPress, with the implication of this that the hack was related to the WordPress version. When we would look into this we find problems from that websites were not all running the claimed version of WordPress or even running WordPress all, to vulnerabilities being cited as being in a certain version of WordPress actually being claimed vulnerabilities in plugins, to the blog of the security company where the claims were made running an even more out of date version of WordPress.

In recent years coverage has focused on vulnerabilities in WordPress plugins, which have actually existed, but in most cases are nowhere near as severe as the coverage would lead to believe (vulnerabilities in plugins that actually were severe often don’t get covered). It doesn’t appear that this change was due to security journalist requiring more proof before covering claims, instead it just seems to be have been happenstance as something that occurred late last year shows.

Back in late November the security company Checkmarx put out a report that they had found “high-risk vulnerabilities” in four WordPress plugins for eCommerce that could lead to “users of over 135,000 websites could find their personal data threatened by malicious parties or cyber criminals”. That lead to stories at Threatpost, SC Magazine, Computerworld, and Network World. At the time we noted that there wasn’t any actual evidence present to back up the claim and that it seemed entirely possible that vulnerabilities were not really severe. As SC Magazine wrote, the details, like what the name of the plugins was, would be released later:

Additional details on the vulnerabilities will be revealed only after the affected plug-in distributors have had an opportunity to respond to the disclosure, the company noted.

Recently we came across something else related to Checkmarx and that made us recall this. At that point we went looking to see if they had released any details of the vulnerabilities, we couldn’t find anything.

Several weeks ago we contacted the company to inquire where we could find the details of those vulnerabilities, we haven’t heard back.

Considering that it has been five months since they made the claims, there has been more than enough time for responsible disclosure, so we have to wonder if the vulnerabilities ever existed.