Login

Tag Archives: Roger Montti

6 Nov 2023

News Outlet Claims WordPress Plugin Contained Vulnerability Because an Administrator Could Access the Website’s Database

On Friday, a news outlet that Google News includes, despite repeatedly running false stories about vulnerabilities in WordPress plugins, was at it again. Roger Montti writing for the Search Engine Journal, made this claim:

The popular Fluent Forms Contact Form Builder plugin for WordPress, with over 300,000 installations, was discovered to contain a SQL Injection vulnerability that could allow database access to hackers. [Read more]

6 Jun 2023

Akamai Warns Their Web Application Firewall (WAF) Doesn’t Protect WordPress and WooCommerce Websites

So often, what passes for security journalism misses the important details in claims made by security providers that are the sole source for stories. Take, for instance, a recent story that popped up a Google News alert we have to alert us to stories about WordPress plugin vulnerabilities. That story, by Roger Montti at the Search Engine Journal, claimed that the ecommerce platforms WordPress and WooCommerce were being targeted by a hacking campaign (no explanation was provided for classifying WordPress and WooCommerce as being separate platforms). Nothing in the story suggests what would have made this hacking campaign noteworthy, but it did mention a recommendation that is noteworthy. It said that it is recommended to use a web application firewall (WAF) to protect against this hacking campaign, but the sole source for their story, Akamai, itself said those don’t work against attacks:

Generally, these attacks cannot be detected by popular methods of web security, such as web application firewalls (WAFs), and are executed on the client side. [Read more]

14 Nov 2022

Search Engine Journal’s Roger Montti Spreads Patchstack’s Misinformation About the Security of WooCommerce Plugin

A frequent source of news media misinformation on vulnerabilities in WordPress plugins is someone named Roger Montti, who writes for the Search Engine Journal. Why someone that describes themselves as a “search marketer” writing for a news outlet unrelated to security is writing about those we don’t know. Whatever the reason, his stories on the subject get included in Google News and spread on social media.

Mr. Montti’s WordPress plugin vulnerability stories are often wrong in multiple different ways and in ways that indicate he is not familiar with the subject matter (not surprising considering his non-security background). We tried in the past to gently suggest to him that information in stories was not entirely accurate, but he never corrected those stories and continued to make the same mistakes. He hasn’t gotten anyone else with knowledge of security to provide input for his stories either. The Search Engine Journal also doesn’t seem interested in addressing this, as we never got a response when we contacted them about a story from him that was outright false. [Read more]

4 May 2022

Another Instance of Automattic Providing Misleading Information About Security of Competing WordPress Security Plugin

The company closely associated with WordPress, Automattic, has the most popular WordPress security plugin by installs, Jetpack. It has 5+ millions installs according to wordpress.org. Recently another piece of Automattic, WPScan claimed a competing plugin, All In One WP Security, which has 1+ million installs had contained a reflected cross-site scripting (XSS) vulnerability despite that vulnerability appearing to not exist. That isn’t the only recent instance of that happening.

Recently they claimed there had been a reflected cross-site scripting vulnerability in Anti-Malware Security and Brute-Force Firewall, which has 200,000+ installs. They wrote this (that is the whole sentence, they keep missing periods at the end of sentences): [Read more]