Last month, security provider Tenable claimed that an authenticated SQL injection vulnerability had existed in the WordPress plugin ReviewX and was fixed in version 1.6.4. It turns out the vulnerability hasn’t been fixed.
The CVE system allowed Tenable to create a CVE ID for this, CVE-2023-26325, and didn’t check to make sure the claims were accurate [Read more]
Security journalists, for reasons that are not entirely clear, treat issuance of a CVE identifier for a claimed security vulnerability as a sign of significance and legitimacy. Take the start of an Ars Technica story from several months ago:
It sounds like something out of an urban legend: Some Windows XP-era laptops using 5400 RPM spinning hard drives can allegedly be forced to crash when exposed to Janet Jackson’s 1989 hit “Rhythm Nation.” [Read more]
The CVE program, which claims to be sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) (we tried to confirm that with CISA, but got no reply), is supposed to provide a unique identifier for vulnerabilities:
The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. [Read more]
CVE is a program that is supposed to provide unique identifiers for vulnerabilities and as we will get to shortly, it also is a path for directing software vulnerability reports away from developers to at least one security company selling non-public information on vulnerabilities to any hackers willing to pay them.
The footer of the website for the CVE program claims that it is sponsored by the US Deparment of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA): [Read more]
Yesterday, a topic was created on the WordPress Support Forum about a claimed vulnerability in the WordPress plugin The Events Calendar with the message:
VulDB published an advisory concerning a vulnerability in The Events Calendar plugin, at https://vuldb.com/?id.212632. [Read more]
The two most recent support forum topics for the 30,000+ install WordPress plugin Kraken.io Image Optimizer are about a claimed security vulnerability in the latest version of the plugin:
Earlier in the week, we detailed what looks to be going on with the closure of the popular WordPress security plugin WP Cerber on WordPress’ plugin directory. What seems like it could have started the closure was a claim made by a competing plugin, Wordfence, of a vulnerability in the plugin.
Here is how Wordfence described the issue: [Read more]
The company closely associated with WordPress, Automattic, has the most popular WordPress security plugin by installs, Jetpack. It has 5+ millions installs according to wordpress.org. Recently another piece of Automattic, WPScan claimed a competing plugin, All In One WP Security, which has 1+ million installs had contained a reflected cross-site scripting (XSS) vulnerability despite that vulnerability appearing to not exist. That isn’t the only recent instance of that happening.
Recently they claimed there had been a reflected cross-site scripting vulnerability in Anti-Malware Security and Brute-Force Firewall, which has 200,000+ installs. They wrote this (that is the whole sentence, they keep missing periods at the end of sentences): [Read more]
One of the changelog entries for the latest version of the WordPress plugin Ultimate Member is:
Fixed: Issue with echo XSS on User Profile [Read more]
A little over a month ago we noted that Automattic’s WPScan didn’t appear to understand the concept of a backup plugin, as they claimed that 4+ million install WordPress backup plugin, All-in-One WP Migration, contained a vulnerability that:
allows administrators to upload PHP files on their site [Read more]
