In January, we looked into a mess caused by the WordPress security provider Wordfence falsely claiming that the plugin WooCommerce had contained a vulnerability. That was caused in part by Wordfence failing to do basic vetting, which they claim to Continue reading Automattic’s WPScan Falsely Claimed that Automattic’s WooCommerce Contained Vulnerability
While reviewing a recent hacker attempt to try to exploit a vulnerability in a WordPress plugin, which was stopped by our own firewall plugin, we found that Automattic’s WPScan had falsely claimed that a WordPress plugin contained a serious vulnerability. Continue reading Automattic’s WPScan Falsely Claims That WordPress Plugin Contained Serious Vulnerability
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of February 16
As we warned our customers on Friday, the latest version of the WordPress plugin Easy Digital Downloads incompletely fixed a vulnerability. That is something we ran across while preparing to see if another security fix made in it fixed a Continue reading Wordfence Claims It Is a Vulnerability For Users With the unfiltered_html Capability to Use Unfiltered HTML
It would be rather notable if the 200,000+ install WordPress plugin from the security provider Cloudflare contained a vulnerability. And that was just the claim made recently by a couple of WordPress security providers. Here was one of them, Patchstack, Continue reading WordPress Security Providers Falsely Claimed Cloudflare’s Plugin Contained Vulnerability
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of January 26
Recently someone left a message on the support forum of the WordPress plugin WP Child Theme Generator writing about their concern about continuing to use the plugin based on Wordfence claiming it contains a “critical vulnerability:” This critical vulnerability has Continue reading Wordfence is Claiming It Is a Critical Vulnerability for WordPress Administrators to Upload Arbitrary Files
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of January 19
Late last week, Wordfence created a mess by claiming there was an unfixed vulnerability in WooCommerce. What that situation showed is they are not doing the work that people clearly believe they are doing. That includes not checking if vulnerabilities Continue reading Wordfence Didn’t Make Sure Vulnerability in WooCommerce Had Been Fixed (Or That It Even Existed)
One method we have for monitoring what vulnerabilities in WordPress plugins hackers are trying to exploit, is allowing users of our firewall plugin to report hacking attempts blocked by our firewall that we haven’t already logged as being known about. Continue reading Hacker Tries to Exploit Fake Vulnerability 11 Years After It Was Falsely Claimed to Exist
Recently there have been conversations popping up over a claim made by the WordPress security provider Wordfence that claims the Gutenberg plugin contains an authenticated persistent cross-site scripting (XSS) vulnerability. On Reddit there were a couple of recent conversations, where Continue reading Contrary to Claims by Patchstack and Wordfence the Gutenberg Plugin Doesn’t Contain an Authenticated XSS Vulnerability
Recently, the WordPress security provider Wordfence was criticizing another provider, Patchstack, for incentivizing low quality claims of vulnerabilities in WordPress plugins: There are an extremely high number of low risk and low quality vulnerabilities being submitted to databases like Patchstack,” Continue reading Latest Release of Contact Form 7 Didn’t Actually Fix Authenticated (Editor+) Arbitrary File Upload Vulnerability
There are many sources for data on WordPress plugin vulnerabilities. Or there appears to be. In reality, most sources are simply copying their data from the others. The results of that are often quite poor, which the providers simply deny. Continue reading Patchstack’s Plugin Vulnerability Data Continues to Not Be Impeccable Either
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of October 27
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of September 15
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of July 14
Recently Automattic’s WPScan claimed that the WordPress plugin Scripts n Styles had contained an admin+ stored XSS vulnerability that they explained this way: The plugin does not sanitise and escape some of its settings, which could allow high privilege users Continue reading Patchstack Claims to Be Security Point of Contact for WordPress Plugin It Made Up Vulnerability About
Recently Automattic’s WPScan claimed that there had been what is normally a fairly serious type of vulnerability in a WordPress plugin. That being, as they put it, an “unauthenticated stored XSS” vulnerability or, as we would put it, a persistent Continue reading Automattic’s WPScan, Wordfence, and Patchstack Don’t Appear to Have a Basic Grasp of What Vulnerabilities Are
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of April 28
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of March 31