Last week we mentioned in a post that security reviews of WordPress plugins would provide a good idea of how secure they are, but those reviews are rarely done. Just prior to writing that post, we ran across a security provider claiming to being do those reviews and a lot of them. That provider being CleanTalk. In checking in to if they were really doing reviews, we found their own plugin, Anti-Spam by CleanTalk, which they just claimed to do a review of and found no issues, contains easy to spot vulnerabilities because of a lack of basic security. That would have been caught by a real review. We found the same missing check in other plugins they claimed to have reviewed.

We have previously noted on our blog multiple instances where CleanTalk either was very confused about security or just being dishonest. In February, we noted that they had greatly overstated the risk of a vulnerability, seemingly, because they lack a basic understanding of securing web apps. In May, we noted they had made up a “critical” vulnerability in a plugin with 100,000+ installs. That same month, we noted they had claimed that a vulnerability in another 100,000+ install plugin had been fixed, when it hadn’t. [Read more]