Unlike any other data sources on vulnerabilities in WordPress plugins that we are aware of, we actually test out claimed vulnerabilities when adding them to our data set (though as Wordfence shows, people will lie about doing that sort of thing). That involves a fair amount of work, but it provides much better results as other data sources will falsely claim that vulnerabilities that haven’t been fixed have been fixed and includes false reports of vulnerabilities. One issue that has been coming up on a more frequent basis recently when doing that testing has been dealing with issues that vary with the test environment.

We recently were rechecking a plugin to see if a new version had fixed a vulnerability and at first it looked like it had, but in reality it turned out that with the Gutenberg editor enabled, the plugin’s input fields were not being saved, so at first it looked like malicious code was properly being removed, but upon further testing we realized that the input were not being saved at all. When using the Classic editor the malicious code would still be saved. [Read more]