Login
29 Jan 2024

Wordfence Claims Unfixed WordPress Plugin Vulnerability Has Been Fixed in Version That Doesn’t Even Exist

Having accurate data on vulnerabilities in WordPress plugins is important. Lots of people trust one provider of WordPress plugin vulnerability data, Wordfence. It seems like their data should be trusted considering the CEO of Wordfence, Mark Maunder, has claimed their data is “impeccable”. Contrary to his claim, just very recently, we have run across them claiming that unfixed vulnerabilities have been fixed, claiming that a vulnerability that never existed was fixed in a certain version it definitely wasn’t, and claiming that a WordPress Administrator doing something that WordPress explicitly allows Administrators to do is a vulnerability. And we just ran across another strange false claim while trying to figure out an odd action by the team running the WordPress Plugin Directory.

Late last week, Wordfence claimed that a vulnerability in a plugin used on 80,000+ websites had been fixed:

There are two big problems with that.

First, it hasn’t been fixed. That is easy to confirm with wither an available proof of concept or by looking at the plugin’s code. But Wordfence with their “impeccable” data didn’t manage to do that. Based on past mistakes, it seems possible they looked at a changelog entry saying that vulnerabilities had been fixed and didn’t bother to do the needed work to confirm if that was true.

Second, it was claimed to have been fixed in a version that doesn’t even exist.

The same day they said this was fixed in version 5.2, version 5.1.1 was released. That is, as of writing, still the latest version of the plugin.

It isn’t as if Wordfence had access to a newer version, as we were in contact with the developer after that and they were not even aware the vulnerability hadn’t actually been fixed yet.

It is easy to have a data entry system flag if you are claiming that a vulnerability exists in a version higher than the latest version of a WordPress plugin. We know, as we have that in our system. So there isn’t a good excuse for getting that wrong. It’s more problematic to get that wrong when you are claiming your data to be “impeccable.”

Related posts:

  1. Wordfence Didn’t Make Sure Vulnerability in WooCommerce Had Been Fixed (Or That It Even Existed)
  2. Hacker Tries to Exploit Fake Vulnerability 11 Years After It Was Falsely Claimed to Exist

Leave a Reply

Your email address will not be published. Required fields are marked *