Last week we looked a claim by the web security company Planet Zuda of a severe vulnerability in a popular WordPress plugin, which seemed at best to be them not fully looking into the issue before making a untrue claim as to its severity. The next day they put out another post making a similar claim of an even more popular plugin, SiteOrigin Widgets Bundle. Once again they also are selling a version of the plugin that is supposed to be patched, which possibly violates multiple laws. Also, once again there was no mention that they had notified the developer of the plugin about the vulnerabilities. This time though they didn’t provide any details of the claimed vulnerabilities, so that neither we nor anyone else could independently review their claim.

Here is how they described the claimed vulnerability: [Read more]