Login

Tag Archives: CWIS Antivirus Scanner

6 Feb 2017

If You Used Our Service You Would Already Know About the Security Vulnerability That Has Been in Contact Form DB

Back in 2012, years before we started this service we noticed a couple of big problems with how security issues in WordPress plugins were being handled. The first one was that there were many vulnerabilities that existed in the current versions of plugins that had been publicly disclosed, but the plugin remained available in the Plugin Directory. The second was that when a vulnerability in a plugin was reported to the Plugin Directory the plugin was removed from it, protecting any websites not already using the plugin from the vulnerability, but websites already using it were not given any notice of the vulnerability, leaving them vulnerable.

In the present the first problem would likely still largely exist if wasn’t for us making sure that developers and the Plugin Directory are notified when unfixed vulnerabilities are disclosed. The second problem still exists despite it being indicated years ago that a solution would be forth coming, a more recent explanation of why that hasn’t happened doesn’t make sense. [Read more]

8 Dec 2016

CWIS Antivirus Scanner Can Also Leave You Unaware That You Are Still Vulnerable To Plugin Vulnerabilities

Yesterday we discussed a couple of recent instances where WordPress plugins were reported to have vulnerabilities that were fixed by discovered and those vulnerabilities were added to WPScan Vulnerability Database with the vulnerabilities listed as be fixed. But in both cases when we actually tested out the vulnerabilities as part of our adding them to our own vulnerability data, we found that the vulnerabilities had not actually been fixed. Those instances were a reminder of the need to actual check if vulnerabilities have actually been fixed (those two instances are by no means the only times that has happened) and reminder that isn’t something that happens with data included in the WPScan Vulnerability Database, which is used in a number of services and plugins. It turns out they were not the only ones that incorrectly listed one of the vulnerabilities as being fixed.

Last month we looked at a new source of vulnerability data in WordPress plugins, the plugin CWIS Antivirus Scanner, and found that they were including false reports of vulnerabilities in plugins in their data. Just as we came across it the first time, through our monitoring for updates to plugins that might be related to a security fix, a more recent update for the plugin popped up with that and one of the new listings was: [Read more]

21 Nov 2016

CWIS Antivirus Scanner Plugin Spreading False Reports of Vulnerabilities In WordPress Plugins

One of the things we state about our service is that we provide our customers with the best data on vulnerabilities in WordPress plugins. To show an example what difference that makes let look at a recently created plugin that also provides data on plugin vulnerabilities.

The plugin is named CWIS Antivirus Scanner, which we became aware of it severals day ago due to our monitoring of updates made to plugins that might be related to a security fix (so that we can include more vulnerabilities that are not otherwise disclosed in our data). An update to that plugin showed up in that. Just by looking over the vulnerabilities added in that update we could already see the data provided was of poor quality. One of the vulnerabilities listed was a claimed cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in the plugin Newsletter, which, according to wordpress.org, has 200,000+ active installs. [Read more]