February 2017 WordPress Core, Plugins & Themes Vulnerabilities Roundup

Last updated on April 12th, 2019 by Robert Abela. Filed under News

In this second monthly roundup of WordPress core, plugins and themes reported vulnerabilities for 2017 we had just a few vulnerabilities. Are things getting better? I’d like to hope so but it seems it is not the case. Just read the developer’s response to the security issue that was reported in his premium WordPress theme Javo Spot!

This vulnerabilities and security issues roundup is made possible through WP Security Bloggers, an aggregate of popular WordPress security blogs and websites that publish WordPress security news and updates. Subscribe to the WP Security Bloggers newsletter to keep yourself up to date with what is happening in the world of WordPress security.

Overview of WordPress Vulnerabilities in February 2017

February 2017 was a very quiet month when compared to January 2017. We only have 15 WordPress plugins vulnerabilities and one premium WordPress theme vulnerability. You should definitely check out the theme developer’s response when the security issue was brought to his attention. Classic!

Below is the complete list of all the WordPress plugins and theme vulnerabilities reported in February 2017:

WordPress Plugins Vulnerabilities

WordPress Themes Vulnerabilities

WordPress Hosting, Firewall and Backup

This Website is:

5 comments

Danny Bahl 06/03/2017

I love the collection of news and reports on your site.
Thank your!

You are trying to do analysis based of rather flawed data when it comes to plugin vulnerabilities.

2 of the 14 (not 15) plugin vulnerabilities you listed involve actions that probably shouldn’t be considered vulnerabilities. 3 of 10 listed vulnerabilities that come from our website were in all likelihood not reported last month, but years ago, we just put out posts with the details of them last month so that we had something to link to in our data for users of our service and companion plugin. At the same time you are missing numerous vulnerabilities that were actually reported last month that we released posts detailing last month, as well.

In total we added 39 vulnerabilities to our service’s data last month, with 4 of them being vulnerabilities that were likely discovered years ago, so a more accurate count of the number of vulnerabilities reported last month would be 35 instead of 15 (or 14). People can get a more accurate picture of what vulnerabilities were reported in plugins last month from our post detailing what we were up to with our service last month at https://www.pluginvulnerabilities.com/2017/03/01/what-we-were-up-to-in-february-2017/.

Robert Abela 15/03/2017

Hello,

Thank you for pointing out such details. These numbers and vulnerability details are compiled from what we see on the website WP Security Bloggers, which even though is a good indication of what is being reported or not, it is not dead accurate. Definitely there are other websites out there reporting more issues that we are missing, though hopefully we will improve the coverage with time.

Considering that a majority of the entries are from our website, the reality is that the data is actually mostly compiled from our website, with it just passed through your other website WP Security Bloggers. What is odd is you didn’t mention quite a few of the vulnerabilities that we detailed last month that are listed on your other website, so you are not even getting the proper data from your own source for this post.

Ultimately the problem here is you are doing analysis based on flawed data and you should either avoid doing analysis in that case or improve the data if you are interested in presenting analysis that doesn’t mislead the public.

Robert Abela 04/04/2017

Hello,

Thank you very much for your valuable feedback.

You’re correct; the majority of vulnerabilities are reported either on your website or on the WP Scan Vulnerability database. The reason why we left out a number of vulnerabilities reported on your website is because no details are available on them. So it is not possible for us to determine when the vulnerability was actually reported.

As regards flawed analysis; I tend to disagree. These statistics / analysis are an indication of what is out there, and not a complete dead accurate list. Having said that we are always trying to improve our coverage, and I am confident we can improve the data if you can provide us with at least the dates of to when you are finding and reporting the issues.

Leave a Reply

Your email address will not be published. Required fields are marked *