Login

Tag Archives: The Hacker News

6 Apr 2023

Security Journalists Baselessly Claim Millions of WordPress Sites at Risk From Recent Vulnerability

Last week, a story about a recent fixed vulnerability in Elementor Pro from the news outlet Bleeping Computer was headlined with the claim that the plugin had 11 million installs, “Hackers exploit bug in Elementor Pro WordPress plugin with 11M installs”. In the body of the story, the author Bill Toulas claimed that the plugin is “used by over eleven million websites”. No source was given for the claim and a comment asking what the source went unanswered.

Contradicting that, an Ars Technica story from Dan Goodin claimed it is “running on more than 12 million sites”. The headline of the story also emphasized millions of websites, “Hackers exploit WordPress plugin flaw that gives full control of millions of sites”. Again, no source was provided for the claim. [Read more]

26 Apr 2019

The Hacker News Keeps Including Inaccurate Information in Their Stories

Yesterday we noted how the security news outlet The Hacker News had seemingly made up a figure for the number of installs of the WordPress plugin Social Warfare that were still using an insecure version when running a story based on an unreliable source, so maybe we shouldn’t be surprised to run in to them running with inaccurate information again shortly after that (with the same author being behind both stories).

This time it involves an arbitrary file upload vulnerability in WooCommerce Checkout Manager we warned about on Tuesday after it was caught by our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Despite there being hackers probing for usage of the plugin since Wednesday, WordPress had taken no action until within the last hour, which probably isn’t surprising since one of the six people running the Plugin Directory (who is also in charge of the moderation of the WordPress Support Forum) has stated leaving plugins they know contain unfixed publicly disclosed vulnerabilities in the directory is “appropriate action“. You might think a story on that situation might bring up some of that, but The Hacker News story about the vulnerability is oddly silent on that. [Read more]

25 Apr 2019

Security Journalists Can’t Even Successfully Repeat the Same Inaccurate Figure Related To Exploited WordPress Plugin

Yesterday we discussed inaccurate information coming Palo Alto’s Unit 42 team that was then spread by the security news outlet Threatpost related to the WordPress plugin Social Warfare. In looking around we found that other security news outlets had also covered this and managed to put forward even more inaccurate information. Maybe that shouldn’t be surprising since a journalist that did some due diligence should have come to the conclusion that the original information did not seem reliable, but still it speaks to the really poor state of security journalism that even when presenting inaccurate information, they are unable to accurately present that.

In the Threatpost’s article they accurately reflected what Palo Alto’s Unit 42 team had claimed “most” of the 42,000 website they claimed were using the plugin were vulnerable: [Read more]