While dealing with the cleanup of a hacked WordPress website recently we noticed that the plugin Comment Attachment was closed on the Plugin Directory last year for an unexplained “security issue”. We couldn’t find any public report that would explain the closure. In looking over the plugin we found that it contained a vulnerability that would allow anyone to delete media uploaded through it.
…
In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we have been releasing posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. We have been thinking that providing information on why those are not included in our service’s data could be useful, so we are trying out putting a weekly post when that occurs detailing those issues.
At the end of September we mentioned that the website WPCampus wasn’t properly crediting us when discussing things we had written, but it isn’t just us that is true with us. Last week in their post on plugin vulnerabilities they credited Wordfence for discovering a vulnerability, but for the other claimed issue they discussed they left out any mention of the discoverer: [Read more]