Login

Tag Archives: SecurityWeek

17 May 2023

Vulnerability Assessments and Penetration Testing Are Not Essential for Addressing Security Risks on WordPress Websites

A recent SecurityWeek headline claimed that a Ferrari website was put at risk by a WordPress plugin: “WordPress Plugin Vulnerability Exposed Ferrari Website to Hackers”. While a WordPress plugin was involved, it shouldn’t have been the focus of the headline. Instead, a failure by Ferrari to do basic security was the real cause of the issue.

The body of the story gets closer to the truth as it says that the vulnerable Ferrari website was “running a very old version” of the vulnerable plugin in question. How old? It doesn’t say. The closest it gets to that is mentioning a CVE id, CVE-2019-6715, which suggests this might be a vulnerability from 2019. The CVE record says that the vulnerability impacts versions “before 0.9.4”. Version 0.9.4 of the plugin was released on April 4, 2014. So Ferrari hadn’t updated the plugin in nine years. [Read more]

28 Oct 2022

Wordfence’s Alarmism on Display With “Exploit Atttempts”, Which Are Not Really Exploit Attempts

Last week we looked into a false claim made by WordPress security provider Wordfence that a plugin had contained a “critical” security vulnerability. In discussing that, we mentioned someone’s concern related to another situation about Wordfence issuing alarmist warnings:

This is demonstrably alarmist, and poor advice considering that they have conceded to several different people that it is not a critical issue. So course this damages Wordfence’s reputation for me. How do I know that they are not issuing alarmist warnings about other issues? [Read more]

19 Sep 2022

Wordfence and Security Journalists Are Again Creating FUD About the Security of WordPress Websites

Last week numerous news outlets ran scary sounding stories about a claimed security issue in a WordPress plugin. Here are some of the headlines of stories that were included in Google News:

  • WordPress zero-day vulnerability compromised more than 280000 websites: Researchers
  • 280000 WordPress sites hacked by exploitation of CVE-2022-3180 – Web Hosting
  • Shocking Cyberattack by Hackers on 280000 WordPress Sites
  • Shocking cyberattack! 280000 WordPress sites attacked by hackers
  • Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability
  • Zero-day in WPGateway WordPress plugin actively exploited in attacks
  • WordPress Plugin Vulnerability Abused in Zero-Day Exploit
  • WordPress zero-day vulnerability leads to 4.6 million attempted attacks on websites
  • WordPress plugin vulnerability leaves sites open to total takeover
  • Over 280000 WordPress sites may have been hijacked by zero-day hiding in popular plugin

The last one of those was from a TechRadar story written by Sead Fadilpašić. The sub-headline of the story was: [Read more]