As part of our continuing work on our Plugin Security Scorecard, we are working to expand the amount of security information we can provide on third-party libraries in WordPress plugins. One problem you run into trying to do something like that, is like with WordPress plugins, there is plenty of misinformation out there. That is what appears to be the case with a claim of a vulnerability in the Select2 library made by security provider Snyk.

We recently noticed that a WordPress plugin had a changelog indicating that the library had been updated to address an XSS (cross-site scripting) issue. Checking the page that shows security advisories for the library on GitHub, there are no advisories. So either the developer hadn’t create an advisory for the issue or there wasn’t an issue. [Read more]