Support » Plugin: Wordfence Security - Firewall & Malware Scan » Failing to report Plugin update includes Security Fixes

  • Resolved iTeamWP

    (@iteamwp)


    Hello,

    We’re noticing an increase in the amount of plugin updates that are not being marked as “Security Fix” in our wordfence emails (“Problems found on http://www.example.co.uk”).

    The most recent occurrence of this was the uk-cookie-consent plugin.
    This updated from 2.3.9 to 2.3.10 after a security vulnerability was patched.

    Changelog:
    2.3.10
    Fixed: fixed security vulnerability identified by James Boughey

    We maintain a large client base and rely on these emails to quickly determine if the update needs to be applied immediately (Security related) or if it can be put on hold temporarily (Feature update).

    Kind regards

Viewing 3 replies - 1 through 3 (of 3 total)
  • Hi @iteamwp,

    We do mark plugins as being vulnerable when we know for certain they are.

    Unfortunately we can’t rely on authors’ changelogs for detecting vulnerabilities, because there are too many inconsistencies (for example, they might mention “security hardening”, which isn’t necessarily a vulnerability fix) and some authors maintain changelogs outside of wordpress.org or commit changelogs in a non-standard way.

    Once a vulnerability is officially confirmed we update our servers’ list of known vulnerabilities which then allows scans to accurately report the issue.

    I confirmed the “UK Cookie Consent” plugin now shows a critical scan result with a link about the security fixes for version 2.3.9 -> 2.3.10.

    Thread Starter iTeamWP

    (@iteamwp)

    Hi wfyann,

    Thanks for your detailed response.

    Could you please clarify a couple more queries relating to this issue for me?

    1. Once you’ve completed your official checks and identified the plugin as critical, do you send out another email alert?
    2. What sort of time frame can we expect from Wordfence from update release to detecting it as critical?

    Thanks in advance!

    Hi @iteamwp,

    The email alerts are generated when the scans report issues so unless you run a new scan the reason for the suggested update won’t be reassessed and therefore no new email alert will be sent until a new scan is executed.

    It’s not that we perform specific checks on our side, rather we update our list of known vulnerabilities by pulling information from an official source; our servers are updated at least once a day.

    Sometimes a plugin author fixes a vulnerability that hasn’t been reported yet and in such case official sources for vulnerabilities do not report the issue.
    Regarding the time frame; again it all depends on when the security issue gets confirmed/validated. We have no control over that.

    You can check these resources for more information on known vulnerabilities: National Vulnerability Database (NVD), CVE.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Failing to report Plugin update includes Security Fixes’ is closed to new replies.