For some time, we have been seeing a hacker probing for the usage of various WordPress plugins with known vulnerabilities across numerous websites. Earlier this month, we noted that the hacker was targeting a plugin that had an unfixed known vulnerability and that the plugin had remained in the WordPress Plugin Directory despite that. That isn’t a one-off issue. Today we saw the same hacker probing for usage of the ReviewX plugin, which is still in the plugin directory. That isn’t a surprise, as the plugin has recently had an authenticated SQL injection vulnerability disclosed. More problematically, as we warned about two weeks ago, it was incorrectly claimed to have been fixed.

In our previous post, we noted that the incorrect claim that this had been fixed had been included in the CVE system, which is funded by the US government. CVE is a system that is treated as a reliable and notable source of information on vulnerabilities, for reasons we can’t understand. In reality, they allow just about anyone to add data to the system and there isn’t a functioning system to make sure it is accurate. With this vulnerability, we reported that the information was incorrect to the company that put the information into the CVE system, but it hasn’t been corrected. Here is the current state of the entry, still claiming that this affected versions before 1.6.4: [Read more]