Anyone who has spent much time trying to use WordPress’ support forum and the connected plugin review system knows that the moderators of that often get in the way and causing unnecessary problems (as well other troubling behavior, including deleting Continue reading Two Weeks Later WordPress Hasn’t Taken Action With WordPress Plugin That Loaded Malicious JavaScript
Trust is an important part of security, so it probably isn’t surprising that security is in such bad shape and that at the same time, security companies are so obviously dishonest so often. That is something we frequently run across Continue reading WPScan and Wordfence Intelligence Community Edition Providing Misleading Data on When Information Was Published
Last week we discussed an example of WordPress security providers often make marketing claims that don’t match up with what they deliver involving Patchstack, but they are certainly not alone in that. We ran across another example of that involving Continue reading WPScan’s Dedicated Team of Security Experts Are Actually Random Unpaid People on the Internet
Currently, in our dataset of vulnerabilities in WordPress plugins, there are plugins with at least 8.16 million active installs that are still available through the WordPress Plugin Directory despite the plugins being known to contain security vulnerabilities. That is a Continue reading WordPress Plugin Returns to Plugin Directory Without Vulnerability Being Resolved
During the weekend, third-party data we monitor recorded what appeared to be a hacker probing for usage of the WordPress plugin ContentStudio. The requests are looking for the plugin’s readme.txt file: /wp-content/plugins/contentstudio/readme.txt [Read more] ShareTweetSharePostSharePin It!
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of November 25
The CVE program, which claims to be sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) (we tried to confirm that with CISA, but got no reply), is supposed to provide a unique identifier Continue reading CVE’s CNA Program Is Causing Them to Fail in Their Stated Mission
Recently WordPress changed their policy on discussing vulnerabilities in plugins on their forum, that is leading to public discussions of the kind that we are frequently party to in private. Among the issues that we have run across are plugin Continue reading If WPScan Isn’t Reporting a Vulnerability in a WordPress Plugin It Doesn’t Mean It Doesn’t Exist
During the summer, one arm of the company closely associated with WordPress, Automattic, WPScan disclosed a vulnerability in plugin, Co-Authors Plus, maintained by another arm of Automattic. WPScan and others in Automattic appear to have failed to look all that Continue reading Automattic’s WPScan Failed to Catch That WordPress VIP’s Co-Authors Plus Plugin is Still Disclosing Email Addresses
A reoccurring issue we see with information on vulnerabilities in WordPress plugins is that inaccurate information is being provided to webmaster’s and then the sources of that inaccurate information are not the ones having to deal with the fallout of Continue reading iThemes Security Pro is Providing Customers Inaccurate Information on Vulnerabilities in WordPress Plugins
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of October 14
Automattic’s WPScan recently claimed there was an admin+ arbitrary file access vulnerability in WPForms Lite. The entry claimed they had verified the vulnerability: [Read more] ShareTweetSharePostSharePin It!
In our monitoring of the WordPress Support Forum for discussions possibly discussing WordPress plugin vulnerabilities, we have recently been seeing a lot of topics involving vague claims coming from the WordPress security provider Wordfence, through their Wordfence Security plugin, that Continue reading Wordfence is Claiming That WordPress Plugin Has Vulnerability Despite Having No Idea if That is True
How WordPress security companies market themselves and what they actually deliver are often far apart. Unfortunately, WordPress and security journalists are failing to provide critical coverage that would warn people about what is going on. As an example of what Continue reading Two Weeks On, Automattic’s WPScan and Patchstack Haven’t Warned About Vulnerability Impacting 600,000+ WordPress Websites
Companies operating in the WordPress space have to deal with a problematic situation. While WordPress is promoted as an open source community, the head of WordPress, Matt Mullenweg, uses his various entities to exert control and influence over the community Continue reading Automattic’s Idea of Coopetition Involves Copying Data From Competitors Without Credit
The two most recent support forum topics for the 30,000+ install WordPress plugin Kraken.io Image Optimizer are about a claimed security vulnerability in the latest version of the plugin: [Read more] ShareTweetSharePostSharePin It!
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of October 7
As detailed in a more technical post, proactive monitoring we do caught a serious vulnerability of a type highly likely to be exploited being introduced in to a WordPress plugin this week. By the install count of the plugin, this Continue reading Automattic Employee Introduced Serious Exploitable Vulnerability Into WordPress’ Own Plugin
Earlier in the week, we detailed what looks to be going on with the closure of the popular WordPress security plugin WP Cerber on WordPress’ plugin directory. What seems like it could have started the closure was a claim made Continue reading WP Cerber Competitors Automattic and Patchstack Also Spread False Claim of Vulnerability in the Plugin
Last week Bloomberg’s Katrina Manson covered a recommendation from the US Cybersecurity and Infrastructure Security Agency that urged companies to automate threat testing. The story touched on one of the realities of the poor state of security that doesn’t get Continue reading How to Replace Overpriced and Ineffective WPScan Based Penetration Testing of WordPress Websites With Cheaper and Better Automated Testing