If data providers for WordPress plugin vulnerability information want to keep up with vulnerabilities, one important place to monitor is the WordPress Support Forum. Today, doing that allowed us to warn our customers of a plugin with 8,000+ installs that contains malicious code in the current version of the plugin, which is still available in the directory. What that also shows is that other data providers are not providing accurate information to their customers, causing problems for them and plugin developers.

Recently we have noted many problems with the new Wordfence Intelligence Community Edition data on plugin vulnerabilities and we keep running into more examples. [Read more]

Yesterday, we highlighted some of the problems we found when looking at the data on plugin vulnerabilities coming from Wordfence’s new Wordfence Intelligence Community Edition. That is data they were previously trying to sell access to as part of something called Wordfence Intelligence and now are providing for free. We thought to check on another recent situation and found yet another serious problem, but not an all that surprising one, considering the generally poor quality of data on WordPress plugin vulnerabilities.

On October 21, the developer of the plugin Image Hover Effects introduced a change to a plugin with the commit message “fixed Vulnerability issue”. As at least one of our customers used that plugin, we checked over that and found that the plugin contained a serious vulnerability related to the change made, which hadn’t been fixed. That vulnerability would allow anyone logged in to WordPress to cause malicious JavaScript code to run on the website. We warned our customers and contacted the developer of the plugin about that the next day. The developer responded at the end of the month, saying that they were working to address that, but it still hasn’t been addressed. [Read more]