When it comes to getting vulnerability data on WordPress plugins you have two main options, there is the data provided with our service and that from the WPScan Vulnerability Database, which is widely used (though often not disclosed as the source). While years ago we recommended WPScan’s data as a good option for a lot websites since it was available for free, over time the quality of their data had gotten worse and worse, making it irresponsible to recommend using that anymore. Then they started charging for most access to their data, but if anything, the data quality got even worse after that.

While WPScan emphasizes the quantity of vulnerabilities they are adding, they are missing almost all the vulnerabilities we have discovered. That is problem considering that not only are we the largest discoverer of vulnerabilities, but we are the largest discoverer of the most serious vulnerabilities, whether they are likely to go on to be widely exploited or hackers looks to already getting ready to target, missing those is going to leave users in the dark when they have the greatest need for this type of data. Amazingly, they are intentionally not including vulnerabilities we discover, unless they can find someone who has copied our reports to cite instead of us, for reasons that don’t make sense.

Quantity isn’t much good if the quality is terrible. For the vulnerabilities that they add, what we have found recently is that they still don’t do proper due diligence, so they include false reports of vulnerabilities (sometimes while missing a more serious real vulnerability) and also falsely claim that unfixed vulnerabilities have been fixed. What good is warning about vulnerabilities if you are incorrectly led to believe they have been fixed?