Login

Tag Archives: WPScan Vulnerability Database

10 Sep 2019

SiteLock is Making the WPScan Vulnerability Database’s Low Quality Data Worse

One of the things that we believe leads to the poor state of security of WordPress, as well more generally, is the amount of inaccurate and outright false information spread by those involved in security. That also creates unnecessary hassle for others. When it comes to our area of focus, the security of WordPress plugins that is a constant issue. While we properly vet claimed vulnerabilities before adding them to our data set, if you are getting data elsewhere it likely comes from the WPScan Vulnerability Database, which is data source where the people behind it don’t seem to be concerned about the accuracy of their data (or other things that seem important for providing what they claim to provide).

If they were even a little concerned about that it seems hard to believe what has happened with the plugin WooCommerce PayPal Checkout Payment Gateway would have occurred. They are currently claiming that plugin, which has 800,000+ installs according to wordpress.org, contains an unfixed vulnerability: [Read more]

12 Aug 2019

Exploitation of Simple 301 Redirects Connected Plugin is Another Reminder of How Our Service Keeps You Ahead of WordPress Plugin Vulnerabilities

When we say that our service provides the best data on vulnerabilities in WordPress plugins you are using that isn’t just a marketing slogan. That is something that is based on us continually comparing what we are doing to others and also continually looking at how we can improve. An improvement that is just over a week old already has paid off in terms of our customers being warned well ahead of others about a vulnerability now being exploited in the plugin Simple 301 Redirects – Addon – Bulk CSV Uploader.

Yesterday we had a lot of traffic coming to our website for content we have on a plugin related to that Simple 301 Redirects, which would usually indicates something security related is occurring with it. Yet early last year we did a security review of the plugin and only found one minor issue among the things we checked for, so at least at that time it was rather secure. Monitoring we do and other information pointed to what was going on, as we had what looked to be a hacker probing for usage of the plugin Simple 301 Redirects – Addon – Bulk CSV Uploader on our website by requesting this file: [Read more]

30 Jul 2019

The Developer of ND Shortcodes (ND Shortcodes For Visual Composer) is Not The Only One to Blame for Websites Being Hacked Due to It

Last Thursday we started warning any customers of our service using the plugin ND Shortcodes (ND Shortcodes For Visual Composer) that there were a couple of vulnerabilities in the plugin. We warned them on the basis of one of them being fixed in a new version with the changelog “Improved nd_options_import_settings_php_function function for security reasons” (the second vulnerability is related to the fixed one). Those not using our service were not so lucky, as the plugin was at the time and remains closed on the WordPress Plugin Directory, so it isn’t possible to update the plugin normally to protect against the fixed vulnerability (we are always available to help our customer to update to a new version in a situation like that).

If you were relying on the main competing data source for vulnerabilities in WordPress plugins, the WPScan Vulnerability Database, even now you are not getting warned: [Read more]

26 Jul 2019

Here’s A Bit of the Real Cost of the WPScan Vulnerability Database’s Data

With our service we warn our customers if WordPress plugins they use contain publicly known vulnerabilities (many of which we have also discovered). When we are warning them we have already confirmed that there is an issue and we are available if they have any questions about the dealing with the issue (say if the plugin has been closed on the Plugin Directory, so they can’t update to a fixed version easily). With a competing data source, the WPScan Vulnerability Database, those things don’t happen and instead all sorts of unnecessary headaches are caused. We saw one such example yesterday.

In an email alert for the WordPress Support Forum we have set up to let us know discussions possibly related to vulnerabilities in plugins we got alerted to this message: [Read more]

17 Jul 2019

Of Course the WPScan Vulnerability Database is Promoting RIPS CodeRisk Scores

While looking to see if anyone had disclosed a vulnerability in a WordPress plugin we were looking into, we clicked on a Google search result for a competing data source for WordPress plugin vulnerabilities, the WPScan Vulnerability Database. Why Google returned this page as a result is unclear since the page is basically empty:

[Read more]

10 Jul 2019

WebARX Claims to “Protect Websites from Plugin Vulnerabilities”, but Doesn’t Even Have a Good Grasp of Them

When we mentioned the web security provider WebARX provider back in March it was in the context of their service providing less protection against a WordPress plugin vulnerability than simply keeping plugins up to date, while they made it seem otherwise. That is a pretty big issue when their service is prominently promoted with the claim that it can “Protect websites from plugin vulnerabilities”, as can be seen on their homepage:

[Read more]

8 Jul 2019

The WPScan Vulnerability Database Keeps Telling People That Unfixed Vulnerabilities Have Been Fixed

Repeating a frequent recent pattern, once again when looking to see if the discoverer of a vulnerability in a WordPress plugin had put out a report on it we instead found a competing data source for data on vulnerabilities in WordPress plugins, the WPScan Vulnerability Database, claiming a vulnerability had been fixed, when it hadn’t. Compounding that problem, others repeated that claim, as they do with all of WPScan’s data, but without disclosing where the data is coming from or its well known quality control issues. This instance of that also is a good example of where security providers continuously looking to improve what they are doing, instead of continually failing in the same way, helps to improve other parts of what they are doing.

The changelog for the latest version of the plugin Gallery PhotoBlocks is “[Security] Fixed security issue”. Looking at the changes made in it we saw what looked to be fixing a reflected cross-site scripting (XSS) vulnerability. That should have been something that could have been detected by our Plugin Security Checker, which is a tool that allows checking WordPress plugins for the possibility of some instances of security issues. So we ran the previous version of the plugin through that to make sure it picked that up and found that there were two instances of that: [Read more]

5 Jul 2019

Sucuri, WPScan, and Others Incorrectly Claim Persistent XSS Vulnerability in WordPress Plugin with 500,000+ Installs Has Been Fixed

Two days ago the web security company Sucuri disclosed a vulnerability in the very popular WordPress plugin, WP Statistics, which has 500,000+ active installations, and claimed it had been fixed. The post is fairly hard to follow and seems to mostly make a case that firewalls can introduce additional security risk, which is odd argument for a provider of a firewall to make.

Considering Sucuri’s recent track record of getting basic details wrong when it comes to WordPress plugin vulnerabilities, including claiming that vulnerability existed that didn’t and trashing a developer falsely, you can’t take their claims at face value. There post makes it hard to follow what exactly the issue is, but more importantly it neither provides a proof of concept or provides an explanation of how the vulnerability was supposed to have been fixed, so without doing additional work it isn’t possible to confirm if what they claimed is correct. [Read more]

28 Jun 2019

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in the WordPress Plugin MapSVG Lite

If you were already using our service you would know that the plugin MapSVG Lite isn’t secure as there was unfixed vulnerability disclosed at the beginning of the year. If you were relying on other data sources there is good chance you wouldn’t know that since the ultimate source of a lot of those, the WPScan Vulnerability Database, claims that it was fixed:

[Read more]

27 Jun 2019

The Quality of the WPScan Vulnerability Database’s Data Is Getting Worse and There Is No Longer a Good Way to Work Around That

In the past we recommended the data on vulnerabilities in WordPress plugins from the WPScan Vulnerability Database as a good free alternative to our service, as while the quality of data was much lower, it was available for the right price for a lot of websites. More recently things have gotten worse, without a workaround for those relying on their data, so if you need access to this type of data our service is really the only good option.

One problem we have long seen with their data is that they would claim vulnerabilities had been fixed when they hadn’t. In the past you could double check if the vulnerability was fixed with a proof of concept included in their data or linked to, but often that now isn’t possible. Take this entry from yesterday for the plugin Ads for WP. Here is the totality of the details: [Read more]