How Our Data on WordPress Plugin Vulnerabilities Compares to the WPScan Vulnerability Database

When it comes to getting vulnerability data on WordPress plugin you have two main options, there is the data provided with our service and that from the WPScan Vulnerability Database, which is widely used (though not always disclosed as the source). While we think think that WPScan’s data is a good option for a lot websites since it is available for free, as the old saying goes, you get what you pay for (we also provide data on vulnerabilities in plugins that hackers are targeting in the service’s companion plugin, so even if you haven’t signed up for the service yet you can get warned about those). Due largely to the fact that sometimes vulnerability discoverers will disclose their vulnerabilities through WPScan we keep track of their data, and through that we have come to find a number of pretty serious issues with the data. Ones that anyone using their data should be aware of and ones that you should consider when deciding on what source to use.

Vulnerabilities Falsely Labeled as Fixed

Getting information on vulnerabilities in plugins used on a website isn’t much good if you are told that vulnerabilities have been fixed when they in fact exist in the current version of the plugin. WPScan’s data on whether it has been fixed is based on what is reported by the developer of the plugin and the discoverer of the vulnerability, which we have found is not always reliable. Because we actual test out the vulnerabilities as part of adding it to our data, we often find that vulnerabilities have not actually been fixed (in some instances where WPScan’s data falsely listed the vulnerability as having been fixed even the Plugin Directory missed that it hadn’t been fixed).

False Vulnerabilities Listed

WPScan doesn’t verify vulnerabilities before adding them, which we have found leads them to list vulnerabilities that don’t actually exist. In some cases that means that you are falsely told that the plugin currently contains a vulnerability, in another case we found they marked a vulnerability had been fixed while also stating “This is potentially a False Positive. Needs further investigation.“. That report was very obviously false, so we don’t understand how they could think it was any thing other than false.

Inaccurate Vulnerable Version Information

For most of listings in the WPScan data they list the vulnerability as if any version below a certain version contains the vulnerability, which provides rather inaccurate information as many vulnerability only exist in some previous versions. In the case of a vulnerability in the plugin WP Mobile Detector that received a fair amount of press coverage subsequent to us identifying that hackers were targeting it, the vulnerability only existed in a single version of  the plugin. We actually test out the plugin to determine what version are vulnerable and then include that in our data.

Having accurate version information is more important when accessing the possible source of a hacking of a website, since with WPScan’s data you could be told that a vulnerability that doesn’t actual exist on the website, does, leading you to an incorrect conclusion. If you care about information that you are providing to clients, you also wouldn’t want to be using inaccurate information.

Missing New Vulnerabilities

One of the oddest issues we have found WPScan’s vulnerability database is that they are adding less new vulnerabilities. We find that odd not only because it is easier for them to add vulnerabilities, since they don’t actually verify the vulnerabilities, but in a couple of instance where we had disclosed sets of vulnerabilities they only included some of them. When we went to look into this, we couldn’t come up with any plausible explanation of why some were included and others were not. The omission were rather concerning because the first set were all easily exploitable and the second involved vulnerabilities in plugins we discovered after what look to be a hacker probing for usage of the plugins.

The difference in how many vulnerabilities can be rather large as we found that in June we added three times as many previously undisclosed vulnerabilities as they did (they also were missing the most serious ones).

WPScan Doesn’t Monitor for New Vulnerabilities Hackers Are Targeting

While our data set includes vulnerabilities that others have discovered, like  WPScan does, we are also continuously monitoring  for what plugins hackers are targeting to spot newly discovered vulnerabilities. That has allowed us to spot numerous apparent zero-day vulnerabilities, vulnerabilities being exploited before the developer of the plugin is aware of it. As we started ramping up our ability to do that we were finding vulnerabilities that look to have been aware by hacker for a long time, in some cases more than a year. So without us it looks like many vulnerabilities would still in plugins and being exploited. We publicly disclose all of those vulnerabilities, as it is important for others to be able to review them, so WPScan could have those in their data at some point after we have them, but as mentioned in the last section they have a spotty record of including vulnerabilities (that is good reason to pair using their data with the our service’s companion plugin, since you will get notified about those even if you don’t use the service).

With Us You Know If A Vulnerability is One Your Should Worry About

The threat that vulnerabilities in WordPress plugins pose varies widely, but unless you have a lot of experience dealing with them you are unlikely to know what should be a big concern and what really isn’t a concern. Unfortunately, all too often we see other security companies and the press inflated the threat of vulnerabilities as well. To help our customers us have a better understanding and make decisions in regards to vulnerabilities we have added a rating of how likely a vulnerability is to be exploited to our data.