Customers of WPScan and Patchstack Were Far From the First to Know About Exploited Plugin Vulnerability
Last week looked at an instance where the Wordfence Security plugin and Wordfence Premium service failed to provide protection against a WordPress plugin vulnerability until four days after it was publicly discussed that the vulnerability had already been exploited. That is despite the Wordfence Premium service being marketed with the claim that it provides “real-time protection” and competing firewalls plugins having delivered protection ahead of that. What we guessed might have explained why they belatedly responded in the situation draws in two other security companies in the WordPress space, not appearing to even try deliver on how they market their services.
With one of our competitors in providing data on WordPress plugin vulnerabilities, the WPScan Vulnerability Database (now owned by Automattic), they claim at the top of their homepage that with their service you will “[b]e the first to know about vulnerabilities affecting your WordPress website”:
Another one of our competitors, Patchstack, makes variations on the same claim, like this one on the page for its companion plugin:
Be the first to know about new vulnerabilities!
It isn’t possible that both of them could be the first to know about vulnerabilities, so at least one of them isn’t telling the truth.
In reality, both of them not telling the truth, considering that we are discoverer/discloser of many vulnerabilities and we are therefore the first that could be warning about those.
Our experience has been that security companies that make claims that couldn’t possibly be true are usually not just exaggerating their capabilities, but are not even trying to deliver the claimed results . That seems to be the case with these two.
Four Different Data Points
On October 19 a new version of the plugin Age Gate was released, 2.17.1, with a changelog entry indicate that security improvement was made:
Fixes potential XSS issue with data imports
While described as a “potential XSS issue”, in reality, there was a persistent cross-site scripting (XSS) vulnerability being fixed.
On October 20, the rules for the NinjaFirewall plugin were updated to include protection against the vulnerability being fixed there.
On that same day, we warned our customers about the vulnerability.
On October 21, it was being publicly discussed on the WordPress Support Forum that the vulnerability had been exploited. Setting up a simple email alert on the forum would have alerted interested parties about that.
So by that date the WPScan Vulnerability Database and Patchstack had four data points that alone or more easily together, could have made them aware that there was a vulnerability they should be warning about.
WPScan Vulnerability Database Hides Late Disclosure
It took four more days for the WPScan Vulnerability Database to include the vulnerability:
They claim that the vulnerability was publicly published the same day they added it, which isn’t true based on what we already mentioned. It also isn’t true even if you rely on the references they cited:
One of those references is the support forum topic we already mentioned, which happened on October 21, not October 25.
The other reference also comes from the same day, October 21. Why it is included isn’t clear since it is the changes made in version 2.18.0 of the plugin and they are not claiming the vulnerability was fixed in that version:
Seeing as they ran across the support forum topic, they must have known that they could have been aware of this sooner (and not for the first time).
Patchstack Still Doesn’t Include the Vulnerability
The results from the WPScan Vulnerability Database are still much better than Patchstack’s with this, seeing as they still do not include the vulnerability:
