via pluginvulnerabilities.com => original post link
Yesterday, the WPTavern ran a story with the headline “MalCare, Blogvault, and WPRemote Plugins Patch Vulnerabilities Allowing Site Takeover Through Stolen API Credentials” despite there not being a vulnerability. Instead, a competitor named Snicco had been successful in getting themselves press coverage with a false claim of a vulnerability in competing WordPress security plugins. Making the whole situation more unseemly, Snicco cites a situation that in reality highlights that not only does their very expensive plugin not deliver the claimed results but also that they appear to lack basic security knowledge.
WordPress Firewall Plugins Can Provide Unique Protection
That situation cited by Snicco involved a authenticated option update vulnerability that was widely exploited earlier this year, which had been in the WordPress plugin Elementor Pro. That vulnerability, like previously disclosed vulnerabilities of that type, was exploited to create new WordPress accounts with the Administrator role. There were a number of key takeaways from that situation that highlight issue with the security of WordPress websites and how that can be improved. [Read more]