The Really Simple SSL plugin became popular, with 5+ million installs, as a simple WordPress plugin and then the developer started bloating it with unrelated features. One of those was adding plugin vulnerability alerts. They recently explained doing that this way:

“We figured that with our reach we could impact security on the web as a whole, by adding features in order of impact on security,” Hulsebos said. “So vulnerabilities, after hardening features specific to WordPress, was next.

Among the issues with adding unrelated features to a WordPress plugin, is that it increases the chances of security issues and therefore should be avoided if possible. That is something security experts, which is what the developers of this plugin claim to be, would know. While preparing this post, we found a security issue caused by this very feature, which we will be detailing in an upcoming post.

It also isn’t as if there are not already lots of options for getting this type of data. What would be rather uncommon is if the data was accurate, since we are currently the only provider that actually verifies their data (incredibly, other providers lie about doing verification of their data). The lack of that from other providers opens their users up to being hacked when they are claimed to be protected. So did Really Simple SSL join us in that? It turns out they did not.

False Claims of Vulnerabilities

Yesterday, we talked about how various providers, including Patchstack, iThemes Security, WP Engine, and WPScan were making false claims about plugins being vulnerable due to a fixed issue in a third-party library, Freemius, widely used in WordPress plugins.

Really Simple SSL is doing the same. They at least did it with a 300,000+ install plugin and another with 60,000+ installs (we independently confirmed that it was falsely claiming those plugins were vulnerable).

With the 300,000+ install plugin, the person reporting that Really Simple SSL was claiming the plugin was vulnerable had attributed the incorrect information to it being a “beta” feature:

Oh dear, I’ll turn it off then. It does say beta.

The problem is bad data, not the feature being in beta.

The Actual Source of Their Data

On the developers website they make this claim as to the source of their data:

This information is sourced from wpvulnerabilities.com. An open-source database of vulnerabilities maintained by the community.

There is not a website at the domain they are mentioning. Elsewhere they say the data is coming from WPVulnerability, which used the domain wpvulnerability.net. As we noted last year, that source simply combines copied inaccurate data from other sources without paying for it. The sources they copy from include the previously mentioned Patchstack and WPScan, both of which have serious accuracy issues. Branding copying other providers inaccurate data as open source doesn’t seem like something someone you should be able to trust would do.

The quality of such data is only likely to get worse as more sources, including the developers of Really Simple SSL, are trying to profit off of data they are not paying the original source for, so Really Simple SSL’s impact on security in this realm is likely to make things even worse than it already is.

Not Medium-Risk

Another issue with vulnerability sources other than us, is that they frequently overstate the risk posed by vulnerabilities. Really Simple SSL is claiming this has a severity of “medium-risk”. That seems unlikely to be accurate rating, considering reflected cross-site scripting (XSS) are type of vulnerability isn’t targeted on a mass-scale. In this case, the underlying security issue causing the vulnerability was publicly warned about in February of last year. So if this was a real concern it seems like it would have already been exploited by now.

---

Plugin Security Scorecard Grade for Really Simple SSL

Checked on November 20, 2024

See issues causing the plugin to get less than A+ grade