When it comes to identifying security issues in WordPress plugins we try to be very careful. The vulnerabilities in our service’s data set is based on vulnerabilities that we confirmed existed, which is something of enough value that others lie about having data that is handled that way. For our automated tool for detecting possible security issues, the Plugin Security Checker, we are careful to note that the issues identified are only possible issues and we do a lot to avoid false positives with that. When we become aware of a false positive, we quickly work to fix that. Others in the WordPress security industry do not really seem to be all that concerned about the quality of the results of claimed security issues in WordPress plugins or elsewhere in WordPress websites. The problems though don’t just come directly from the security industry, web hosts also are a reoccurring issue with false claims of security problems in plugins, which is something that came up again in monitoring of the WordPress Support Forum for indications of security issues in WordPress plugins.

A topic was started there in the last day that indicated there might be a security issue with the readme.txt file from the plugin Zendesk Request Form: [Read more]