Earlier today, we covered how Patchstack and their partners have been falsely claiming that WordPress plugins contain vulnerabilities caused by usage of an outdated version of the Freemius library. They have been joined in that by WP Engine and Automattic owned WPScan.

Here is an example of that email sent out for the 100,000+ install plugin Pods:

At WP Engine we take the security of your sites very seriously, and make every effort to keep our customers aware of any potential security risks. We are reaching out to you today because we identified your site(s), [redacted], is (are) utilizing a vulnerable version of the Pods – Custom Content Types and Fields plugin.

At this time, we are not seeing that the plugin author has released an update or patch for this vulnerability.

WP Engine summary of the vulnerability: Data from an attacker could be interpreted as code by site visitors’ web browsers. The ability to run code in another site visitors’ browser can be abused to steal information, or modify site configuration.

Original 3rd-party’s report on the vulnerability: Please note that questions related to this article should be directed to the 3rd-party researcher and not WP Engine:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33999

https://wpscan.com/vulnerability/9f01090f-df5b-4d9e-bc4d-fac9150fdfe6

We encourage you to assess the risk of continuing to use this plugin until a patch is released.

One of the developers of that plugin explained what is going on this way:

Much like Pods, this plugin got swept up incorrectly. It appears that if a plugin ever used the Freemius SDK then they are marked as vulnerable even if Freemius SDK was later removed.

This plugin removed Freemius SDK in 2.1 back in August 2020.

WPScan is going to have a lot of upset plugin authors on their hands

One part of WP Engine’s email really stands out to us, where they are saying you shouldn’t contact them:

Please note that questions related to this article should be directed to the 3rd-party researcher and not WP Engine

So they are falsely claiming that a plugin contains a vulnerability and then trying to disclaim responsibility for it.

It also looks like the third-party isn’t really a third-party, as WPScan is claiming that WP Engine is partnered with them. (If true, why isn’t WP Engine disclosing that?) One line in WPScan’s post about that claimed partnership stands out:

The results have been overwhelmingly positive, solidifying WP Engine’s position as a true security partner for their customers and helping them build a customer base that is more loyal than ever before.

We would hardly call spreading false information from a source, WPScan, long known for their lack of accuracy as being a true security partner. Incredibly, WP Engine’s VP of security admits they haven’t done due diligence with WPScan’s data:

We know that there are other options out there, but given the sense of completeness and alerts for ALL relevant plugins, we never had a need to go crosscheck WPScan against anyone else.

We don’t know how you could have a sense of completeness without any crosschecking, but doing that would show that not only is WPScan’s data not accurate, but it isn’t close to complete either. You also have to wonder about a VP of security would publicly admit failing to do basic due diligence and about them remaining employed despite doing that.

We reached out to WP Engine for comment about the situation early today, but haven’t received a response so far. We will update the post if we receive one.

---

Plugin Security Scorecard Grade for WPScan

Checked on April 12, 2025

See issues causing the plugin to get less than A+ grade