19 Mar

Other WordPress Plugin Vulnerability Data Sources Still Not Warning About Fixed or Unfixed Vulnerabilities in Easy WP SMTP

Today we have had a lot of traffic coming to our website to our posts about the vulnerabilities fixed and unfixed in the plugin Easy WP SMTP. The likely explanation is what else we have been seeing today, as in terms of dealing with the cleanup of hacked WordPress websites over at our main business and other mentions of hacked websites, we are seeing indications that the option update vulnerability that was fixed with that and possibly the other recently fixed option update vulnerability impacting many plugins are being exploited widely to change the WordPress option “siteurl” on websites to cause requests to be made to “getmyfreetraffic.com” (based on past experience with this type of vulnerability that likely isn’t the only thing the hackers are doing with the vulnerabilities on those websites).

[Read more]

04 Mar

WPScan Vulnerability Database Fails to Credit Us, But Did Incorrectly Claim Plugin Had Been Fixed From Freemius Vulnerability

When it comes to information on security topics, whether security journalism or elsewhere, what we have found is that often incorrect information is provided that someone could have seen was incorrect if they could check the original source for it, but the original source isn’t listed. That would be the case with something from the WPScan Vulnerability Database’s entry created on Friday on the authenticated option update vulnerability in the Freemius library we discussed Tuesday:

[Read more]

10 Dec

WPScan Vulnerability Database Weeks Behind in Warning About Exploited Vulnerability in WordPress Plugin

On Friday we noted that during the month of November we not only added many more new vulnerabilities in WordPress plugins to our data set than the widely used WPScan Vulnerability Database (50 to 11), but we actually disclosed more vulnerabilities ourselves than they added in total during the month (21 to 11). Considering that all the vulnerabilities we discover are publicly disclosed and you can even access a RSS feed just of them, it doesn’t speak highly of the quality of their data set to be missing them.

[Read more]

30 Nov

Not Really a WordPress Plugin Vulnerability – Week of November 30, 2018

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

[Read more]

19 Nov

The Data in the WPScan Vulnerability Database Is Definitely Not Confirmed/Validated

Among the many lies told by the company behind the very popular WordPress security plugin Wordfence Security, Defiant, one that really stands out to us personally is a lie they told that relates to something that as far as we are aware we uniquely do when it comes to collecting data on vulnerabilities in WordPress plugins. In response to a complaint about the data they use in trying to tell people if an update to a plugin is a security update they claimed to rely on “confirmed/validated” data for that. In truth their source, the WPScan Vulnerability Database, explicitly notes that they haven’t verified the vulnerabilities in their data set. As far as we are aware we are the only ones that actually do the work it takes to confirm and validate vulnerabilities, which provides our customer with higher quality data and doesn’t leave them unaware that vulnerabilities haven’t actually been fixed. We recently ran across an instance of where the WPScan Vulnerability Database clearly didn’t do that work, where we had at first thought that maybe we had missed something that we should have noticed.

[Read more]

12 Oct

Not Really a WordPress Plugin Vulnerability – Week of October 12, 2018

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

[Read more]

04 Oct

The WPScan Vulnerability Database Is Missing a Lot of New Vulnerabilities

If you are looking for data on vulnerabilities in WordPress plugins you appear to have a lot of options, but in reality many sources actually just reuse data from the same source, the WPScan Vulnerability Database. The true source of the data is often is not disclosed by the provider.  Even when they are upfront about that, we have yet to see a provider that is also upfront about the major limitations of that data source. Sometimes things are worse, whether it is Wordfence (aka Defiant) falesly and baselessly claiming that the data is “official” and “Confirmed/Validated” or MainWP stating that “The Vulnerability database updates itself real-time so you don’t miss out on any vulnerabilities”. Updating in real-time wouldn’t mean that you wouldn’t miss out on any vulnerabilities since that would depend on the breadth of the data, not on how fast changes are applied. In reality you will actually miss out on many vulnerabilities.

[Read more]

01 Oct

It’s No Wonder Security Is In Such Bad Shape When the Security Community Doesn’t Understand the Basics of Vulnerability Types

One of the things that you get when using our data on vulnerabilities in WordPress plugins either through our long time service or our new newsletters instead of trying to do things on your own or using lower quality data sources, is that we actually check over the reports and provide an accurate information on them. For a fair amount of reports the original discloser has provided inaccurate information about the vulnerability (or there isn’t even a vulnerability).

[Read more]

28 Jun

Other Data Sources on WordPress Plugin Vulnerabilities Belatedly Add Vulnerability While Falsely Claiming It Has Been Fixed

When it comes to the problems with the security industry one of the fundamental issues is the abundance of false and misleading claims about the capabilities of products and services. The breadth of that is on display in how often that occurs with our little piece of the industry, data on vulnerabilities in WordPress plugins, where among other issues you have a company falsely claiming their data set contains all known vulnerabilities despite actually not even adding the most vulnerabilities and Wordfence claiming the data they use only contains  “Confirmed/Validated” vulnerabilities. On that latter front we recently came across another example of other data sources falsely claiming that a vulnerability had been fixed, when it hadn’t. Getting that right seems like a critical element in providing this type of data, since correctly informing about unfixed vulnerabilities seems like it would the most important element. This time it involves a vulnerability that we were warning our customers for a month before the other data sources even added to their data set.

[Read more]