Wordfence Falsely Claims WordPress Plugin Contains a “Critical” Vulnerability Because It Confused it With Another Plugin
Recently, we have covered multiple instances where the WordPress security provider Wordfence was falsely claiming that WordPress plugins contain “critical” vulnerabilities, despite there being no vulnerability. That is despite them marketing one of their services, Wordfence Intelligence, partly based on providing high-quality data of that type:
Wordfence Intelligence includes a comprehensive and extremely current vulnerability database for WordPress that contains nearly 7,000 unique vulnerability records. This database is actively maintained by some of the top WordPress vulnerability researchers in the industry.
In previous instances, Wordfence didn’t provide any information on the claimed vulnerability or any apology/explanation for how they messed up, so we don’t know for sure how they got things so wrong. But in one instance, it looked like they fell for what should have been an obviously false report of a vulnerability.
The latest instance, though, they provided information to double check their claim, which allowed us to see how things went wrong.
A topic on the WordPress Support Forum recently mentioned Wordfence’s claim that a plugin named Responsive Lightbox contained a vulnerability:
I have received a critical error regarding this plugin:
‘The Plugin “Responsive Lightbox” has a security vulnerability.’… ‘Issue Found October 19, 2022 09:18 – Critical‘
I have been advised to:
‘deactivate and completely remove “Responsive Lightbox” until a patched version is available’
Someone else followed up with this information:
Plugin Name: Responsive Lightbox
Current Plugin Version: 1.3.4Details: To protect your site from this vulnerability, the safest option is to deactivate and completely remove “Responsive Lightbox” until a patched version is available. Get more information.(opens in new tab)
Repository URL: https://wordpress.org/plugins/responsive-lightbox-lite(opens in new tab)
Vulnerability Information: https://www.cve.org/CVERecord?id=CVE-2017-2243(opens in new tab)
The page listed for the vulnerability information shows that they have confused two plugins. That page, which has information dated from 2017, says that versions below 1.7.2 of Responsive Lightbox contained a vulnerability:
Cross-site scripting vulnerability in Responsive Lightbox prior to version 1.7.2 allows an attacker to inject arbitrary web script or HTML via unspecified vectors.
The latest version of this Responsive Lightbox is 1.3.4, so things don’t match up. The reason that they don’t match up is that vulnerability was in a different plugin, as one of the references given is to page for the plugin:
https ://wordpress.org/plugins/responsive-lightbox/#developers
The plugin they are claiming is vulnerable has the slug “responsive-lightbox-lite”, not “responsive-lightbox”.
As multiple WordPress plugins can have the same name, as is the case here, or plugins can have multiple different names, data sources rely on slugs to identify relevant vulnerabilities, so a mistake like this shouldn’t happen.
Checking competing data sources, even ones with serious accuracy issues of their own, none of them made the same mistake.
Even if that reflected cross-site scripting vulnerability existed in the plugin, it is far from a “critical” vulnerability.