Last week numerous news outlets ran scary sounding stories about a claimed security issue in a WordPress plugin. Here are some of the headlines of stories that were included in Google News:

• WordPress zero-day vulnerability compromised more than 280000 websites: Researchers
• 280000 WordPress sites hacked by exploitation of CVE-2022-3180 – Web Hosting
• Shocking Cyberattack by Hackers on 280000 WordPress Sites
• Shocking cyberattack! 280000 WordPress sites attacked by hackers
• Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability
• Zero-day in WPGateway WordPress plugin actively exploited in attacks
• WordPress Plugin Vulnerability Abused in Zero-Day Exploit
• WordPress zero-day vulnerability leads to 4.6 million attempted attacks on websites
• WordPress plugin vulnerability leaves sites open to total takeover
• Over 280000 WordPress sites may have been hijacked by zero-day hiding in popular plugin

The last one of those was from a TechRadar story written by Sead Fadilpašić. The sub-headline of the story was:

Popular WordPress plugin had a serious zero-day flaw

In the story, they claimed that possibly much more than 280,000 websites were attacked and compromised:

blocked more than 4.6 million attacks, against more than 280,000 sites, in the last month, alone. That also means that the number of attacked (and possibly compromised) websites is probably much, much larger.

So how popular is the plugin? The author of the story didn’t provide any information on that. They were not alone in making wholly unsupported claims of popularity of the plugin. Rory Bathgate writing for IT Pro claimed it was a “widely-used WordPress plugin”, but didn’t provide any information on how widely used it was. Ionut Arghire writing for SecurityWeek claimed that “Many WordPress sites are at risk of full compromise”, but didn’t provide any information on how many WordPress sites were at risk.

With most WordPress plugins, it is easy to get a sense of how popular the plugin is, as plugins in WordPress’ plugin directory have an active install count. The plugin mentioned here, WPGateway, isn’t included in it. We couldn’t find much information on the plugin, which would suggest it isn’t popular. That the developer hadn’t promptly addressed the claimed vulnerability would also suggest it wasn’t very popular.

Considering that none of the stories or the underlying source for the claims provided any information on the popularity, the authors of those stories certainly have no idea if it is popular, widely-used, or is used on many websites.

The popularity is rather important since, if, say, it had only 1,000 installs, then the number of websites that could have been directly hacked would be much less than 280,000. It also wouldn’t be newsworthy if some unpopular plugin not distributed by WordPress was exploited like this. It would be a pretty clear example of the fear, uncertainty, and doubt (FUD) that is far too common in the security industry and is often targeted towards WordPress.

Sead Fadilpašić’s response on Twitter to us pointing this out FUD was “Lol“. We followed up by asking him about the claim of the popularity of the plugin:

Here is your headline: “Over 280,000 WordPress sites may have been hijacked by zero-day hiding in popular plugin”

How popular is the plugin? You didn’t say in the post. If you don’t know, how do you know if anywhere near 280,000 WordPress website could have been hijacked?

He had no response.

Wordfence Behind the FUD

To lay all the blame on security journalists here would be a mistake, as among other issues, many of them appear to have no expertise in security. Take the bio of the author of another news outlet’s coverage:

Katie is a Staff Writer at MUO with experience in content writing in travel and mental health. She as a specific interest in Samsung, and so has chosen to focus on Android in her position at MUO. She has written pieces for IMNOTABARISTA, Tourmeric and Vocal in the past, including one of her favourite pieces on remaining positive and strong through trying times, which can be found at the link above. Outside of her working life, Katie loves growing plants, cooking, and practicing yoga.

Looking at the other stories, they also don’t appear to understand the basics of journalism, as the stories all rely on a single, unreliable, source, Wordfence. In May, multiple news outlets ran stories based solely on information from Wordfence telling people they needed to update a plugin, despite an update not being available to 90,000+ websites running it.

Without Wordfence, there wouldn’t be have been any of the misleading stories about this situation and it appears they wrote things up in a way to generate this FUD.

The information Wordfence provided doesn’t make a lot of sense.

They state they added protection for the claimed vulnerability on September 8. Yet, they claim they only determined there was even a vulnerability the next day.

We obtained a current copy of the plugin on September 9, 2022, and determined that it is vulnerable, at which time we contacted the plugin vendor with our initial disclosure.

Then in a post on September 13 they are citing data on blocking attacks going back 30 days, despite stating to have only added protection five days before:

The Wordfence firewall has successfully blocked over 4.6 million attacks targeting this vulnerability against more than 280,000 sites in the past 30 days.

Those numbers were a major focus of news outlets, but as Wordfence would surely know, they are meaningless. There are many attacks against websites all the time and almost all of them are going to be unsuccessful on their own for numerous reasons, including that the websites are not using the software attempting to be exploited. If any of the journalists had gotten a second opinion, someone could have told them that.

Wordfence could measure how many of the attacks they blocked would have otherwise been successful, but doing that would help people understand how little protection their plugin is really providing.