Earlier today someone posted on the support forum for the 200,000+ active install WordPress plugin Activity Log with the subject “Critical Exploit: Disable plugin Immediately!” and wrote this:
As reposted by CISA and NIST, NVD this plugin has a critical exploit, CVE-2022-3941, and we are removing from all of our servers pending revision and reporting from the makers. [Read more]
Yesterday, a topic was created on the WordPress Support Forum about a claimed vulnerability in the WordPress plugin The Events Calendar with the message:
VulDB published an advisory concerning a vulnerability in The Events Calendar plugin, at https://vuldb.com/?id.212632. [Read more]
One of the differences when you get data on vulnerabilities in WordPress plugins you use from us instead of other providers is that we actually make sure that claimed vulnerabilities exist. Being warned about a vulnerability that doesn’t exist obviously isn’t useful, especially if you are told that vulnerability is in the current version of the plugin, which is often the case.
Yesterday we looked an example of just such a situation with the plugin WP Markdown Editor. We mentioned how the WP Scan Vulnerability database, which is the true source of plugin vulnerability data for almost any service or plugin other than ours, includes this vulnerability in their data. They are not alone, as the website VulDB, vuldb.com, also includes it. [Read more]