ShieldPRO

So far this week we have covered both iThemes Security Pro and Wordfence Security falsely claiming that WordPress plugins contained vulnerabilities, which we became aware of through our monitoring of the WordPress Support Forum for discussions of new vulnerabilities in plugins. These seems to be a fairly widespread problem with WordPress security providers, as today yet another instance of it came up. This time with ShieldPRO from Shield Security. A topic was created yesterday claiming that a WordPress plugin named Admin Menu Editor contained a vulnerability: According to ShieldPRO, v1.10.3 of the Admin Menu Editor plugin has known security vulnerabilities : https://shsec.io/shieldvulnerabilitylookup?typeplugin&slugadmin-menu-editor&version1.10.3 In case you weren’t aware of this yet. The developer replied that the warning was for a different plugin with the same name: If you follow the “References” link in that report and then find the “Plugin page” link, you will see that the report is actually about a different plugin that, unfortunately, happens to have the same name as this one. The report does not apply to this plugin. That is an odd mistake to make, as not only can WordPress plugins have the same name, but plugins can have multiple different names over time (or even at the same time). The standard way to avoid that issue is to rely on the plugin's slug, which would be unique at least for plugins in the WordPress Plugin Directory, to identify relevant vulnerabilities for a plugin. If you look at the page that was linked to by the original poster, it lists the correct plugin's slug, admin-menu-editor: The reference mentioned in the developer's reply is from Patchstack, from which Shield Security gets their information from. Patchstack's URLs for vulnerability entries contain the slug of the plugin that the listing is for and here it is for the other plugin, admin-menu-restriction. So the mistake is on Shield Security's part. That Shield Security managed to get things wrong here might not be all that surprising considering that early this year we found that their firewall's protection has been broken and therefore failing to provide protection for months.

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: ShieldPRO

Shield Security’s ShieldPRO Also Falsely Claimed that WordPress Plugin Contains Vulnerability