Recently, someone posted on the WordPress support forum asking which versions of a plugin that had an exploited vulnerability were vulnerable, as they were using older versions of the plugin on websites. If they had looked at news coverage or information from competitors of ours, they would be told that all previous versions were vulnerable. But that wasn’t true. The vulnerability existed in a few versions. In another recent situation, we found that an exploited vulnerability only had existed in one version, despite being claimed to be in all previous versions.

What is going on? As strange as it may sound, other WordPress plugin vulnerability data providers don’t actually figure out which versions are vulnerable, but then claim that all previous versions are. If they disclosed that and said they wanted to be on the safe side by listing all previous versions, that would be one thing, but they don’t disclose that.

We are the only WordPress plugin vulnerability data provider that actually determines what versions of plugins are vulnerable. That isn’t just important if you are using old versions of plugins, we often are finding that vulnerabilities our competitors are claiming are fixed, haven’t been fixed. It shouldn’t be surprising that if providers are cutting corners in one way, not determining which versions are vulnerable, they will cut corners in other ways.