In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of January 27
The headline of the most recent post on the blog of GoDaddy’s security service, Sucuri, blares “Massive Campaign Uses Hacked WordPress Sites as Platform for Black Hat Ad Network”, which was written by Denis Sinegubko. How massive? Not massive at Continue reading GoDaddy/Sucuri’s FUD About New “Massive Campaign” Claimed to Involve Hacked WordPress Websites
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of January 20
It isn’t uncommon to see comments online from people scared after a WordPress security solution, say, the Wordfence Security plugin, has alerted them that the solution has blocked a large amount of hacking attempts. The best advice as to what Continue reading Cutting Through Wordfence’s FUD on Millions of Attack Attempts Against WordPress Websites
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of January 13
Recently the security news outlet Bleeping Computer ran a story from Bill Toulas with the headline “New Linux malware uses 30 plugin exploits to backdoor WordPress sites”, but the only cited source for the story, Doctor Web stated that it Continue reading “New” Linux Malware Attempting to Exploit WordPress Plugin Vulnerabilities is Actually Years Old
Security journalists, for reasons that are not entirely clear, treat issuance of a CVE identifier for a claimed security vulnerability as a sign of significance and legitimacy. Take the start of an Ars Technica story from several months ago: It Continue reading CVE’s Process for Disputing a Claimed Vulnerability is Currently Broken
As we have documented multiple times before, Wordfence is providing highly inaccurate information on vulnerabilities in WordPress plugins. We keep running into more examples of that. Earlier this week someone contacted the developer of a plugin about Wordfence’s claim that Continue reading Wordfence Isn’t Telling the Truth About the Sourcing and Reliability of Their Plugin Vulnerability Data
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of January 6
Recently, three ostensibly competing data providers for information on vulnerabilities in WordPress plugins all claimed that a vulnerability had been fixed in a certain version of the plugin Super Socializer. Here was WPScan, the original source for the claim: [Read Continue reading Providers of WordPress Plugin Vulnerability Data Not Actually Verifying if Vulnerabilities Are Fixed
Anyone who has spent much time trying to use WordPress’ support forum and the connected plugin review system knows that the moderators of that often get in the way and causing unnecessary problems (as well other troubling behavior, including deleting Continue reading Two Weeks Later WordPress Hasn’t Taken Action With WordPress Plugin That Loaded Malicious JavaScript
The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked: Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. [Read more] ShareTweetSharePostSharePin It!
Yesterday, we published a post about Patchstack’s false claim to know about hundreds of undisclosed zero-days, which, if true, would be a very serious issue. Instead, the “zero-days” are “Vulnerabilities reported to us which we are still processing and will Continue reading Patchstack’s Unlisted Zero-Days Are Actually Vulnerabilities Already Covered by Competitors
Recently, we noted that the WordPress security provider Patchstack was marketing their service with a misleading claim to be providing “early alerts and protection”, where in one instance, they were only aware of a vulnerability two weeks after it was Continue reading Patchstack Doesn’t Know About Hundreds of Undisclosed Zero-Days
If data providers for WordPress plugin vulnerability information want to keep up with vulnerabilities, one important place to monitor is the WordPress Support Forum. Today, doing that allowed us to warn our customers of a plugin with 8,000+ installs that Continue reading Wordfence Intelligence Community Edition Data Continues to Be a Mess
The heads of tech companies controlling the online conversation has been a big issue recently based on Elon Musk’s takeover of Twitter and subsequent actions. WordPress has a similar issue that doesn’t get much attention, probably explained, in part, because Continue reading Matt Mullenweg’s WP Tavern Didn’t Allow Question on Significant State of the Word Related Security Issue
Trust is an important part of security, so it probably isn’t surprising that security is in such bad shape and that at the same time, security companies are so obviously dishonest so often. That is something we frequently run across Continue reading WPScan and Wordfence Intelligence Community Edition Providing Misleading Data on When Information Was Published
Yesterday, we highlighted some of the problems we found when looking at the data on plugin vulnerabilities coming from Wordfence’s new Wordfence Intelligence Community Edition. That is data they were previously trying to sell access to as part of something Continue reading Wordfence Intelligence Community Edition Fails to Warn About Serious Vulnerability Because It Copies Inaccurate Data From WPScan
In what appears to be a significant setback for Wordfence, but promoted as “a gift to the community”, they announced they are now giving away data on vulnerabilities in WordPress plugins they have been trying to sell access to since Continue reading Wordfence Intelligence Community Edition Data Falsely Claims That Unfixed Plugin Vulnerability Was Fixed Twice
The latest version of the WordPress plugin Download Monitor, which has 100,000+ installs, fixed a vulnerability, but the developer didn’t disclose that in the changelog. What makes the lack of disclosure stand out is that the developer had disclosed in Continue reading How to Properly Restrict Access to WordPress REST API Routes