How Our Data on WordPress Plugin Vulnerabilities Compares to the WPScan Vulnerability Database

When it comes to getting vulnerability data on WordPress plugins you have two main options, there is the data provided with our service and that from the WPScan Vulnerability Database, which is widely used (though often not disclosed as the source). While years ago we recommended WPScan’s data as a good option for a lot websites since it was available for free, over time the quality of their data has gotten worse and worse, making it irresponsible to recommend using that anymore.

Part of the quality issue is that they are not adding many vulnerabilities. In September for example, we added 79 new vulnerabilities, while they only added 25. Part of the reason for that low number is that they are missing many of the vulnerabilities we have discovered and disclosed, in September there were 33 we had done that with. Since we have frequently discovered vulnerabilities that are likely to go on to be widely exploited, missing those is going to leave users in the dark when they have the greatest need for this type of data. Amazingly, they are intentionally not including vulnerabilities we discover unless they can find someone who has copied our reports to cite instead of us, for reasons that don’t make sense.

For the vulnerabilities that they add what we have found is that they don’t do proper due diligence so they include false reports of vulnerabilities and also falsely claim that unfixed vulnerabilities have been fixed. What good is warning about vulnerabilities if you are incorrectly led to believe they have been fixed?