via pluginvulnerabilities.com => original post link
Yesterday and today we have been documenting an absolute mess in the WordPress security space. The developer of the Freemius library, which is widely used in WordPress plugins, was warned by us in February of last year of a security issue (there multiple issues, some of which they resolved at the time), which they didn’t fix at the time and instead lied about us. Recently, they finally addressed it (with another security provider taking credit for discovering the issue). That was bad, but where things got a lot worse is that various security providers and their clients have been falsely claiming that WordPress plugins were still vulnerable due to this. In some cases, the plugins had already updated Freemius weeks ago to fix this and in others, the plugins didn’t even contain the library. So far, we have documented instances involving Patchstack, iThemes Security, WP Engine, WPScan, and Really Simple SSL. Considering their track record, it isn’t surprising that Wordfence was also a part of this.
Wordfence provides inaccurate plugin vulnerability data that is available to others and is also utilized by their very popular Wordfence Security Plugin. [Read more]