For our data set of vulnerabilities we don’t just add any claimed vulnerability, instead we test out each vulnerability before adding it. That requires a lot more time, but it produces much better data for our customers as we find that many vulnerability reports are false, others have incorrect information (including claims that a vulnerability has been fixed when it hasn’t), and we can tell them which versions are vulnerable.

In some cases we find that vulnerability report is false but actually point to real related issue. One such case we just ran into involved a claim that the plugin Remote Upload had an arbitrary file upload vulnerability in version 1.2.1 and below. The problem with this report is that file upload capability of the plugin is limited to Administrator level users and it isn’t really a vulnerability for them to upload arbitrary files based on the capabilities they are granted. [Read more]