In what appears to be a significant setback for Wordfence, but promoted as “a gift to the community”, they announced they are now giving away data on vulnerabilities in WordPress plugins they have been trying to sell access to since Continue reading Wordfence Intelligence Community Edition Data Falsely Claims That Unfixed Plugin Vulnerability Was Fixed Twice
The latest version of the WordPress plugin Download Monitor, which has 100,000+ installs, fixed a vulnerability, but the developer didn’t disclose that in the changelog. What makes the lack of disclosure stand out is that the developer had disclosed in Continue reading How to Properly Restrict Access to WordPress REST API Routes
When it comes to determining if a WordPress plugin is secure or not, there is a lot of bad advice out there, much of it coming from security companies you should be able to trust to give good advice. For Continue reading How to Check if WordPress Plugins Are Secure
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of December 9
The website of the WordPress focused company Awesome Motive paints them in an incredibly positive light. For example, one of their five core values is “We Do The Right Thing every time.”, which they explain this way: When it’s right Continue reading Awesome Motive’s Not So Awesome Five for the Future Sponsorship of Plugin Security Reviewer for WordPress
We recently tried to add a WordPress firewall plugin named BitFire in to our automated testing system of WordPress security plugins, but found that the plugin wasn’t working properly and then an update totally broke it. We also noticed that Continue reading Even Wordfence Competitor Has Been Fooled by Untruthful Marketing of Wordfence Premium
Last week we discussed an example of WordPress security providers often make marketing claims that don’t match up with what they deliver involving Patchstack, but they are certainly not alone in that. We ran across another example of that involving Continue reading WPScan’s Dedicated Team of Security Experts Are Actually Random Unpaid People on the Internet
Recently, we mentioned that the moderation of the WordPress Support Forum seemed to be moving in a better direction, but things still were not in great shape. We noted yet another problem last week. In the latest instance, we noticed Continue reading WordPress Deletes Negative Review of Wordfence Security Mentioning “Horrific” Wordfence Response Experience
Last week, we noted that the WordPress security provider Patchstack’s new “early alerts and protection” from plugin vulnerabilities involved them being weeks behind offering protection that keeping plugins updated would have provided and failing to offer that for a vulnerability Continue reading Patchstack Claimed to Provide “Early Alert and Protection” From “Vulnerabilities” Where Attacker Would Already Have Control of Website
While developing our WordPress firewall plugin, we created regression testing software to make sure that, as we updated that; we didn’t break existing protection, which is something at least one other developer hasn’t done. What we realized once we started Continue reading Wordfence Security Falls to Fourth Place in December Test of WordPress Security Plugins’ Zero-Day Protection
Two weeks ago, we looked at inaccurate information about claimed vulnerabilities in WordPress plugins, where a journalist was citing information from the National Vulnerability Database (NVD): The U.S government National Vulnerability Database (NVD) published warnings of vulnerabilities in five WooCommerce Continue reading Severity Scores From NIST’s National Vulnerability Database (NVD) Are Not Reliable
WordPress security providers often make extraordinary claims about their services, which not only couldn’t be true, but even to the extent they could deliver something reasonably close to it, they fail to do that. The service Patchstack makes this claim Continue reading Patchstack Didn’t Provide Early Alert and Protection For Vulnerability Likely Being Targeted by Hacker
Currently, in our dataset of vulnerabilities in WordPress plugins, there are plugins with at least 8.16 million active installs that are still available through the WordPress Plugin Directory despite the plugins being known to contain security vulnerabilities. That is a Continue reading WordPress Plugin Returns to Plugin Directory Without Vulnerability Being Resolved
There is often a wide gap between the claims of WordPress security providers and reality. That has often been the case with Patchstack going back to its precursors, WebARX and ThreatPress. This week Patchstack started promoting that it is providing Continue reading Patchstack’s Early Alert For WordPress Plugin Vulnerability is Actually Public Info Copied From Competitor
During the weekend, third-party data we monitor recorded what appeared to be a hacker probing for usage of the WordPress plugin ContentStudio. The requests are looking for the plugin’s readme.txt file: /wp-content/plugins/contentstudio/readme.txt [Read more] ShareTweetSharePostSharePin It!
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of November 25
When reviewing security changes being made in WordPress plugins used by our customers, it isn’t uncommon for us to find that developers have failed to fully fix the vulnerabilities, or as was the case recently with a plugin with 300,000+ Continue reading WordPress Plugins Failing to Include Needed Capabilities Check for AJAX Accessible Functionality
The CVE program, which claims to be sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) (we tried to confirm that with CISA, but got no reply), is supposed to provide a unique identifier Continue reading CVE’s CNA Program Is Causing Them to Fail in Their Stated Mission
CVE is a program that is supposed to provide unique identifiers for vulnerabilities and as we will get to shortly, it also is a path for directing software vulnerability reports away from developers to at least one security company selling Continue reading CISA Provides No Explanation for Sponsoring Program That Directs Vulnerability Report Info to Hackers
Earlier today someone posted on the support forum for the 200,000+ active install WordPress plugin Activity Log with the subject “Critical Exploit: Disable plugin Immediately!” and wrote this: As reposted by CISA and NIST, NVD this plugin has a critical Continue reading VulDB’s Alarmism on Display With False Claim of “Critical” Vulnerability in WordPress Plugin Activity Log