The CVE system is treated as a reliable source of information on vulnerabilities, both in WordPress plugins, but also more broadly. It isn’t. It also is failing with a more basic element, actually having the records for claimed vulnerabilities. On Friday of last week, a source of security exploit attempt data we recently started monitoring was showing that a vulnerability identified as CVE-2024-48248 was receiving exploit attempts. What was odd about that is the CVE entry for that ID was empty. It looked like this at the time:

[Read more]