Login
3 Nov 2022

If WPScan Isn’t Reporting a Vulnerability in a WordPress Plugin It Doesn’t Mean It Doesn’t Exist

Recently WordPress changed their policy on discussing vulnerabilities in plugins on their forum, that is leading to public discussions of the kind that we are frequently party to in private. Among the issues that we have run across are plugin developers claiming that there isn’t a vulnerability in their plugin, because a data provider isn’t mentioning it. You can see that with a public discussion involving a claim from one of those data providers, Patchstack, that there is a vulnerability in the current version of a plugin.

The response from the developer to that claim was this:

We are looking into this issue why this is showing but as per wpscan report there is no vulnerability in our plugin you can check here https://wpscan.com/plugin/woo-wallet

When visiting the page referenced by the developer, which is from the competing data provider WPScan, the following information is displayed:

No vulnerabilities present in our database

We are not aware of any vulnerabilities affecting this plugin. That does not mean that this plugin is secure.

WPScan, which is owned by Automattic, isn’t claiming there isn’t a vulnerability, only that they are not aware of any.

On the other hand, it isn’t totally unreasonable to believe that they would know if there is a vulnerability, since on their homepage they claim you would be the first to know about vulnerabilities in the plugin (or any other WordPress plugin) with their information:

Be the first to know about vulnerabilities affecting your WordPress installation, plugins, and themes.

That isn’t true. Not only will you not be the first to know in many instances, it isn’t uncommon for them to not even know about publicly known vulnerabilities in some of the most popular plugins.

In this situation, Patchstack also doesn’t look great, as this is the totality of the description for the claimed vulnerability:

Cross-Site Request Forgery (CSRF) vulnerability discovered by Muhammad Daffa (Patchstack Alliance) in WordPress TeraWallet – For WooCommerce plugin (versions <= 1.3.24).

That isn’t enough information for other data providers to reasonably confirm their claim of a vulnerability is accurate.

No related posts.

Plugin Security Scorecard Grade for Patchstack

Checked on March 5, 2025
D

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for WPScan

Checked on April 12, 2025
F

See issues causing the plugin to get less than A+ grade

Leave a Reply

Your email address will not be published. Required fields are marked *