When it comes to getting data on vulnerabilities in WordPress plugins there are a number of companies that are interested in making it appear they are generating that type of data without having to do the work it takes to provide that. They instead of reuse data from the WPScan Vulnerability Database, sometimes without disclosing that is the source and in every instance we have seen so far, without providing a warning as the low quality of the data. As example here was what Wordfence’s plugin recently sent out to people using the plugin Sermon Browser:
The security industry has more than its fair share of snake oil and hucksters, which seems like it can be explained in part due to the fact that people that don’t know and or care about security can make claims that those more knowledgeable would never make. For example, somebody that has a basic understanding of security wouldn’t claim their WordPress security plugin “stops you from getting hacked” because a WordPress plugin would not have any chance of stopping certain types of attacks (yet somehow the most popular plugin makes this claim). Not only is security extremely complicated, but things are frequently changing, so you need to keep adjusting as new threats come about and existing ones change. Along those lines we thought it important to share something we ran across yesterday about the abuse of a popular plugin’s intended functionality.
Fairly regularly we have found that reports of vulnerabilities in WordPress plugins turn out to be false. That doesn’t always stop developers from making change to fix them as if they really existed (at the same time developers often don’t fix real vulnerabilities). In many cases the change improves the plugin as the change doesn’t fix a vulnerability, but what was allowed to occur before could be consider a bug. In other cases the change duplicates something already occurring in the plugin or WordPress, which increases resource usage slightly, but doesn’t really make a major change. But as what happened recently with WP Job Manager shows it is possible that it could have a negative impact.
Earlier today we looked at how the report of a vulnerability that was supposed to have been fixed in version 1.26.2 of the plugin WP Job Manager involved something that was not actually a vulnerability. There was a change made related to what was describe in the report, but it just added additional protection over what was already in place.
As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well, we post our findings on them. The data on these false reports is also included in our service’s data.
As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well, we post our findings on them.