Tag Archives: WPScan Vulnerability Database

23 Dec 2021

GoDaddy (Though Sucuri) Spreads Misinformation About Recently Fixed Vulnerabilities in All in One SEO

A month ago, GoDaddy was in the news after announcing a data breach of information for customers using their managed WordPress hosting service. What was lacking in the coverage of that is that GoDaddy owns a major web security provider, Sucuri. It seems like if a web host owns a major security provider they should have a good handle on security, not fail to handle the basics, as the breach showed.

For those knowledgeable about security, the apparent incongruity really wasn’t surprising, since Sucuri has always been run by people that don’t seem to have much grasp on security. That could be seen again in a post earlier this week about vulnerabilities recently fixed in a popular WordPress plugin, All in One SEO. [Read more]

22 Dec 2021

Wordfence Security and Wordfence Premium Fail to Provide Protection Against Possibly Exploited Plugin Vulnerability

The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:

Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. [Read more]

20 Dec 2021

Why Did the WPScan Vulnerability Database (and Automattic) Sit on Plugin Vulnerability for Over 3 Months?

The WPScan Vulnerability Database, which is owned by Automattic, markets itself with this claim on their homepage:

Be the first to know about vulnerabilities affecting your WordPress website [Read more]

3 Dec 2021

Customers of WPScan and Patchstack Were Far From the First to Know About Exploited Plugin Vulnerability

Last week looked at an instance where the Wordfence Security plugin and Wordfence Premium service failed to provide protection against a WordPress plugin vulnerability until four days after it was publicly discussed that the vulnerability had already been exploited. That is despite the Wordfence Premium service being marketed with the claim that it provides “real-time protection” and competing firewalls plugins having delivered protection ahead of that. What we guessed might have explained why they belatedly responded in the situation draws in two other security companies in the WordPress space, not appearing to even try deliver on how they market their services.

With one of our competitors in providing data on WordPress plugin vulnerabilities, the WPScan Vulnerability Database (now owned by Automattic), they claim at the top of their homepage that with their service you will “[b]e the first to know about vulnerabilities affecting your WordPress website”: [Read more]

1 Dec 2021

Vulnerability Details: Settings Change in Temporary Login Without Password

Often times information coming from the WPScan Vulnerability Database is incorrect, including misconstruing more serious vulnerabilities with less serious vulnerabilities. That is the case with a claimed “subscriber+ plugin’s settings update” in the WordPress plugin Temporary Login Without Password. The claimed issue was:

…

[Read more]

9 Mar 2020

Fortinet’s FortiGuard Labs Is Putting Out Reports That Falsely Claim Vulnerabilities in WordPress Plugins Have Been Fixed

Recently if you were relying on other sources for information on vulnerabilities in WordPress plugins you use you would have seen it claimed that Envira Gallery Lite recently contained a vulnerability that was fixed in version 1.7.7.

Here is that on the CVE : [Read more]

6 Mar 2020

WordPress Plugin Directory Team Allowed Hackers Three Weeks to Exploit Vulnerability in Plugin with 60,000+ Installs

When it comes to security issues with WordPress plugins, the team running the WordPress Plugin Directory continues to make matters worse. One area we have seen that occurring for some time (and that we have been criticized for taking action to protect our customers from) is with the closure of popular plugins with security issues. That occurred again recently with Brizy, which has 60,000+ installs. The WPScan Vulnerability Database belated warned about a vulnerability in the plugin yesterday with this timeline (we had warned any of the customers of our service that were impacted last month):

February 10th, 2020 – Report received & WP Plugins Team notified.
February 12th, 2020 – WP Plugin Team Investigating
February 12th, 2020 – v1.0.114 released in SVN, fixing the issue. However, the plugin is still closed
March 3rd, 2020 – Seeing probes checking for the issue
March 4th, 2020 – Contacted WP Plugin to have an ETA about re-opening the plugin
March 5th, 2020 – Plugin can not be re-opened yet as there are other issues (including legal ones), as well as incomplete fixes
March 5th, 2020 – Issue disclosed, we recommend to remove the plugin until a new version is available and downloadable [Read more]

8 Nov 2019

The WPScan Vulnerability Database “Verified” False Report of Vulnerability in WordPress Plugin

In the past we have noted that among the many lies told by the company behind the Wordfence Security is that data they take from the WPScan Vulnerability Database (without disclosing it as the source) was “Confirmed/Validated”. At the time they did that, that data source was explicitly stating that they were not verifying vulnerabilities. More recently they have claimed to do that, but as shown again with a claimed vulnerability in the plugin WP Google Review Slider it turns out they are not actually doing that.

With the vulnerability they claim it is verified: [Read more]

18 Oct 2019

Not Really a WordPress Plugin Vulnerability, Week of October 18

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Cross Site Scripting in FooGallery, Popup Builder, and Soliloquy

Related claimed cross site scripting vulnerabilities in the plugins FooGallery, Popup Builder, and Soliloquy involve a common cause of false reports of persistent cross-site scripting (XSS) vulnerabilities, people not understanding that WordPress allows users with the unfiltered_html capability to do the equivalent of XSS. In this case if you follow the instruction you find that you are entering the XSS code in the title of a custom WordPress post, which is permitted to happen for users with the unfiltered_html capability, but is not permitted for those without that. [Read more]

2 Oct 2019

What Plugin Vulnerabilities Was Up to in September

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service. Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during September (and what you have been missing out on if you haven’t signed up yet).

Paid customers of the service can suggest and vote on plugins to have a security review done by us (you can also order a review separately). This month we released details of our reviews of Redis Object Cache and Nginx Cache. [Read more]