Login

Tag Archives: Gutenberg

Plugin Security Scorecard Grade for Gutenberg

Checked on August 24, 2024
B

See issues causing the plugin to get less than A+ grade

11 Dec 2023

Despite Having “Impeccable” WordPress Plugin Vulnerability Data, Wordfence Deletes False Claim of Unfixed Vulnerability in Gutenberg

Recently the CEO of Wordfence, Mark Maunder, responded to us noting that Wordfence’s data on WordPress plugin vulnerabilities is “often quite inaccurate and not a reliable source” by saying that their “data is impeccable.” To claim that their data is flawless is quite a statement to make. It would be one thing to say that they are trying to provide the best data or doing their best, but flawless is something else. They also claimed that we were a “well known industry troll” and “contribute nothing beyond vitriol.” So who was right there?

Last week, we discussed a strange situation where someone had claimed that there was a vulnerability in WordPress; it was explained to them by the WordPress security team that there wasn’t a vulnerability, but Wordfence and others were now claiming that there was a vulnerability in the Gutengberg plugin, but not WordPress. If the issue described was a vulnerability, it certainly is in WordPress. But as we mentioned, and the WordPress security team had said before, it wasn’t a vulnerability. Wordfence’s claim was causing a fair bit of concern for those using both that plugin and Wordfence’s plugin. [Read more]

6 Dec 2023

Contrary to Claims by Patchstack and Wordfence the Gutenberg Plugin Doesn’t Contain an Authenticated XSS Vulnerability

Recently there have been conversations popping up over a claim made by the WordPress security provider Wordfence that claims the Gutenberg plugin contains an authenticated persistent cross-site scripting (XSS) vulnerability. On Reddit there were a couple of recent conversations, where unsurprisingly, there wasn’t helpful information being provided. Things have been slightly better on the WordPress support forum for the plugin, but still you had alarmist information. One topic is titled, “Security breach and vulnerability in all versions.” Wordfence in turn, is citing Patchstack when making this claim. The reality is that there isn’t a vulnerability, something the WordPress security team told the original source of the claim, but which Wordfence and Patchstack have ignored.

While Wordfence and Patchstack are both claiming that this is an issue with the Gutenberg plugin, that isn’t what the original source they are citing says. Their post is titled
“CVE-2022-33994:- Stored XSS in WordPress” and they start it this way: [Read more]