pluginvulns.bsky.social - Profile | ThreadSky | a Reddit-style client for Bluesky

CVE Rule Allows MITRE to Hide When They Are Failing to Provide Timely Information on Vulnerabilities

submitted 9 hours ago • 0 comments

This is a great example of there being one set of rules for those in control of WordPress and another for everyone else. They say this policy is about "accountability," but the support forum moderators can and do post as a generic anonymous "moderator" account.

submitted 1 day ago • 0 comments

CleanTalk Claims to Vet WordPress Plugins for Insecure Dependencies While Their Security Plugin Contains Known Vulnerable Library

submitted 2 days ago • 0 comments

Plugin Security Scorecard February Results

submitted 3 days ago • 0 comments

Persistent Cross-Site Scripting (XSS) Vulnerability in Traffic Manager

submitted 6 days ago • 0 comments

Developer of 1+ Million Install WordPress Plugin Warned Multiple Times of Known Vulnerable Library in Plugin and Still Hasn't Addressed It

submitted 8 days ago • 0 comments

Popular WordPress File Manger Plugins Contain Third-Party Library With Multiple Vulnerabilities

submitted 9 days ago • 0 comments

Settings Change and Persistent Cross-Site Scripting (XSS) Vulnerabilities in Donate vista

submitted 10 days ago • 0 comments

The Good and Bad of Unexplained Change to WordPress Plugin Directory That Exposes Owners of Plugins

submitted 13 days ago • 0 comments

Backdoor Code Routes Malicious Actions Through WordPress REST API

submitted 14 days ago • 0 comments

Hacker Probing For WordPress Plugin With Many Vulnerabilities That Wordfence and Other Providers Incorrectly Claimed Were Fixed Last Year

submitted 20 days ago • 0 comments

While there are breathless claims made by security provider Recorded Future in this story, the bottom line is the hackers are apparently exploiting vulnerabilities fixed in 2023!

submitted 20 days ago • 1 comment

"The most common problems were factual inaccuracies, sourcing, and missing context." So AI has the same problems that human journalists have.

submitted 22 days ago • 1 comment

WordPress Plugin Developers' Assurances Their Plugins Are Secure Continue to Not Bear Out

submitted 23 days ago • 0 comments

@dothewoo.bsky.social The RSS link in the footer of your website, dothewoo.io/woocommerce-..., is currently broken.

submitted 23 days ago • 1 comment

Imagine thinking that CVE is a model for helping to secure anything. Especially, when you are acknowledging it has been around since 1999 (and security is in such bad shape still). harris.uchicago.edu/sites/defaul...

submitted 23 days ago • 0 comments

WordPress is peddling falsehoods coming from Patchstack. This post says: "Patchstack, a cyber security company helping companies and software developers to identify & patch vulnerabilities in open-source code." Patchstack actually makes it harder to get vulnerabilities fixed in WP plugins!

submitted 24 days ago • 1 comment

WordPress Plugin Includes Version of Third-Party Library That Was Publicly Known to Be Vulnerable Years Before Plugin Was Even Released

submitted 24 days ago • 0 comments

WordPress Plugin Security Review: AspireUpdate

submitted 24 days ago • 0 comments

The war on security terminology continues.

submitted 24 days ago • 0 comments

A year old WordPress AI plugin contains an outdated third-party JavaScript library that has three vulnerabilities disclosed by the developer in 2021 and another disclosed in 2022. Again the plugin is only year old, so the developer decided to use a years out of date version known to be vulnerable.

submitted 24 days ago • 1 comment

Why did a security company have a 16 or 17 year old intern that had access to company secrets?

submitted 24 days ago • 1 comment

Patchstack Isn't Actually Patching Vulnerabilities

submitted 30 days ago • 0 comments

CVE Rule Allows MITRE to Hide When They Are Failing to Provide Timely Information on Vulnerabilities

This is a great example of there being one set of rules for those in control of WordPress and another for everyone else. They say this policy is about "accountability," but the support forum moderators can and do post as a generic anonymous "moderator" account.

CleanTalk Claims to Vet WordPress Plugins for Insecure Dependencies While Their Security Plugin Contains Known Vulnerable Library

Plugin Security Scorecard February Results

Persistent Cross-Site Scripting (XSS) Vulnerability in Traffic Manager

Developer of 1+ Million Install WordPress Plugin Warned Multiple Times of Known Vulnerable Library in Plugin and Still Hasn't Addressed It

Popular WordPress File Manger Plugins Contain Third-Party Library With Multiple Vulnerabilities

Settings Change and Persistent Cross-Site Scripting (XSS) Vulnerabilities in Donate vista

The Good and Bad of Unexplained Change to WordPress Plugin Directory That Exposes Owners of Plugins

Backdoor Code Routes Malicious Actions Through WordPress REST API

Hacker Probing For WordPress Plugin With Many Vulnerabilities That Wordfence and Other Providers Incorrectly Claimed Were Fixed Last Year

While there are breathless claims made by security provider Recorded Future in this story, the bottom line is the hackers are apparently exploiting vulnerabilities fixed in 2023!

"The most common problems were factual inaccuracies, sourcing, and missing context." So AI has the same problems that human journalists have.

WordPress Plugin Developers' Assurances Their Plugins Are Secure Continue to Not Bear Out

@dothewoo.bsky.social The RSS link in the footer of your website, dothewoo.io/woocommerce-..., is currently broken.

Imagine thinking that CVE is a model for helping to secure anything. Especially, when you are acknowledging it has been around since 1999 (and security is in such bad shape still). harris.uchicago.edu/sites/defaul...

WordPress is peddling falsehoods coming from Patchstack. This post says: "Patchstack, a cyber security company helping companies and software developers to identify & patch vulnerabilities in open-source code." Patchstack actually makes it harder to get vulnerabilities fixed in WP plugins!

WordPress Plugin Includes Version of Third-Party Library That Was Publicly Known to Be Vulnerable Years Before Plugin Was Even Released

WordPress Plugin Security Review: AspireUpdate

The war on security terminology continues.

A year old WordPress AI plugin contains an outdated third-party JavaScript library that has three vulnerabilities disclosed by the developer in 2021 and another disclosed in 2022. Again the plugin is only year old, so the developer decided to use a years out of date version known to be vulnerable.

Why did a security company have a 16 or 17 year old intern that had access to company secrets?

Patchstack Isn't Actually Patching Vulnerabilities

This seems like a pretty clear infringement of Nintendo's IP on the homepage of Patchstack.

CVE Actually Does Trust Open Source Implicitly and That Is a Problem

Plugin Security Scorecard January Results

CVE Farming – Problem & Solution