Two weeks ago, we looked at inaccurate information about claimed vulnerabilities in WordPress plugins, where a journalist was citing information from the National Vulnerability Database (NVD):
The U.S government National Vulnerability Database (NVD) published warnings of vulnerabilities in five WooCommerce WordPress plugins affecting over 135,000 installations. [Read more]
One of the biggest problems we run into while compiling data on vulnerabilities in WordPress plugins these days is the amount of false reports out there. While there has been a problem with that for years, what makes it more problematic now is that “security experts” are spreading these false claims instead of knocking them down. One frequent source of that is WPScan, which is owned by the company closely connected with WordPress, Automattic. That entity is marketed with the claim that they are a “Dedicated team of WordPress security experts”, which doesn’t match up with we keep seeing.
Recently we saw what looked to be a hacker probing for usage of the plugin All-in-One WP Migration. We couldn’t find a good explanation for why that would be, either a recently fixed vulnerability in the plugin or an unfixed vulnerability that currently exists in the plugin. But WPScan did recently put out a false report of a vulnerability in the plugin that it seems like a hacker might have thought was something they could exploit. [Read more]
We recently have been looking to see if there is additional data that we can add to our service that would be useful to our customers. So far that has resulted in us adding data on false reports of vulnerabilities to the results shown on the admin page of the service’s companion plugin. Another item that we have taken a look and decided not implement, but we thought was worth publicly discussing, is including vulnerability scores based on the popular common vulnerability scoring system (CVSS).
The CVSS is describe as “an open framework for communicating the characteristics and severity of software vulnerabilities”. The scoring produces three scores, but for the purposes we will only discuss the Base score, which is often the only score provided. Scores range from 0.0 to 10.0, with 10.0 being the most severe. There are also textual score based on the numerical scores, which ranges from none to critical. In addition to there being three different the scores, there are now three versions of the scoring system. [Read more]