via pluginvulnerabilities.com => original post link
Whether intentionally or not, part of the business model of the developer of the Wordfence Security plugin involves scaring people in to buying their services by overstating the risk posed by security issues. The overstated risk was on display in the last week with a false claim of “critical” vulnerability in the current version of WooCommerce.
As we noted yesterday, Wordfence had claimed that there was a vulnerability in a version of WooCommerce, which they later admitted didn’t contain the vulnerability. This was caused in part by them not actually checking on a patch they claim had been released in a certain version. There wasn’t a patch. Even after admitting that mistake, they still didn’t check to see if there really was a vulnerability. Instead, they, for some reason, thought that WooCommerce’s developer claiming that they had addressed the “potential for” a vulnerability, meant there was a vulnerability. There wasn’t a vulnerability. Only the potential for one, as WooCommerce’s developer had clearly stated. [Read more]