08 Jul

The WPScan Vulnerability Database Keeps Telling People That Unfixed Vulnerabilities Have Been Fixed

Repeating a frequent recent pattern, once again when looking to see if the discoverer of a vulnerability in a WordPress plugin had put out a report on it we instead found a competing data source for data on vulnerabilities in WordPress plugins, the WPScan Vulnerability Database, claiming a vulnerability had been fixed, when it hadn’t. Compounding that problem, others repeated that claim, as they do with all of WPScan’s data, but without disclosing where the data is coming from or its well known quality control issues. This instance of that also is a good example of where security providers continuously looking to improve what they are doing, instead of continually failing in the same way, helps to improve other parts of what they are doing.

The changelog for the latest version of the plugin Gallery PhotoBlocks is “[Security] Fixed security issue”. Looking at the changes made in it we saw what looked to be fixing a reflected cross-site scripting (XSS) vulnerability. That should have been something that could have been detected by our Plugin Security Checker, which is a tool that allows checking WordPress plugins for the possibility of some instances of security issues. So we ran the previous version of the plugin through that to make sure it picked that up and found that there were two instances of that: [Read more]

06 May

What Plugin Vulnerabilities Was Up to in April

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service. Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during April (and what you have been missing out on if you haven’t signed up yet).

Paid customers of the service can suggest and vote on plugins to have a security review done by us (you can also order a review separately). This month we released details of our review of Shareaholic. [Read more]