Other data providers including Patchstack, Wordfence, and WPScan are all listing the vulnerability as having been fixed, despite the developer only partially fixing it.
Be aware that CleanTalk is putting out misleading information about vulnerabilities in WordPress plugins.
They recently claimed that a vulnerability in a WordPress plugin exposed WordPress users passwords. It didn't, only password hashes. That is significantly different.
WPScan also claimed that the vulnerability allowed "account takeover," despite that being unlikely to happen there.
Even better is to use tools that provide effective protection, as multiple tools that don't provide effective protection are still unlikely to provide effective protection when combined.
Again with the projection. You are the only one ranting here. We don't have any "scammy-ass" plugins.
The post you are replying about mentioned Wordfence in the context of us explaining how we came across a serious vulnerability. Which involved us reviewing a false claim by Wordfence about a vulnerability in a plugin one of our customers started using. So it wasn't altruistic, our customers pay us to do that work. We mentioned WordPress in the context of boilerplate text explaining why we full disclosed the vulnerability. None of that is a rant.
You can't even keep your claims straight. First you claimed we hadn't explained what the moderators we doing that is inappropriate and then you claimed we had, but you don't agree with it. To quote you, "No one is going to trust you or listen to you if you can’t be honest about what’s happening."
This is the plugin: https://wordpress.org/plugins/sendpress/ These are security changes the developer made today, which presumably is in response to the plugin being closed for a security issue: https://plugins.trac.wordpress.org/changeset/2990357/ Here is the file from the screenshot: https://plugins.trac.wordpress.org/browser/sendpress/trunk/classes/views/class-sendpress-view-pro.php?rev=2990358 The code in that file is still missing needed security even after the security change made today.
You seem to have us confused with someone else. We haven't claimed that WordPress forum moderators are out to get us or and we don't have a victim complex. Perhaps you have an issue with projection. The moderators do act inappropriately, which plenty of people in the WordPress community have dealt with. It is why so few people participate in them.
As for what the moderator are doing inappropriately, we explained some of that here. That was linked to in the post you are replying about. It would help to read what you responding before claiming it doesn't provide something. And here is specific example, which had nothing to do with us, where they deleted messages simply saying thank you.
You are engaged in ad hominem attacks and then appear to be getting angry that someone else responds in the same way. Please grow up.
It wasn't a revenge piece and the crux of the article you are referencing, but Wordfence literately claimed that wordpress.org was their website. They said "The information cited in the blog post was directly taken from our website" and then listed their website as wordpress.org. It obviously isn't true that it is their website, but it is what they claimed.
We didn't plagiarize or steal anything. We were quoting Wordfence to point out that things they were saying were not true.
If you are claiming that someone isn't telling the truth, to be fair, you would want to quote what they actually said instead of engaging in ad hominem attacks on them. That is what we did. For example, we quoted a two sentence description for what they claimed was a vulnerability and then explained why it wasn't true. We clearly were not plagiarizing them, since we were quoting them. We also were not stealing anything, as we were noting their information was wrong. It seems like you can't handle someone pointing out that Wordfence says things that are not true. That seems to be a common problem with their fanboys.
Wordfence filed DMCA takedown requests that were not legitimate. They claimed, for example, that we quoted them "without authorization and without citing the original source". We cited the original source (it's how they knew what we were quoting in the first place) and you don't need authorization to quote someone.
You were criticizing us for what you claimed is a "poorly written article and poorly made site", so getting things wrong yourself stands out.
We don't have any axe to grind. We do have to deal with the results of Wordfence making false claims about vulnerabilities. As was the case with what led to us finding a serious vulnerability, after they falsely claimed there had been a vulnerability in a plugin that one of our customers started using. A lot of other people do as well, like when an unfixed vulnerability was widely exploited months after they claimed it had been fixed.
What are you claiming is misleading and also disingenuous?
You couldn't even be bothered to get Wordfence's name right, but is there anything you are claiming is inaccurate in the post or is this just an ad hominem attack because you can't handle them being legitimately criticized?
The plugins that provided protection are:
- NinjaFirewall
- Plugin Vulnerabilities Firewall
- Wordfence Security
All of them provided protection without a rule written for the specific vulnerability being exploited, so they will protect against similiar vulnerabilities in the future as well.
The issue described as "identifying a way for logged-in users to execute any shortcode" has been publicly known issue for many years. Its odd that WordPress finally decided it was something that shouldn't be allowed. It also looks like there are plugins with tens of thousands of installs that now have what WordPress considers a vulnerability, as they also allow some variation of that as well.
Among the problems with Wordfence Security is that the developer tries to scare people by emphasizing the number of attacks, but failing to note when they know they would have failed even without the plugin. Almost all attacks fail on their own, because of things like attempts to exploit vulnerabilities that don't exist on the website or trying to login with usernames/passwords that are not used. It's unlikely that your website would have been taken over multiple times without that plugin. In fact, in our testing, it continues to provide significantly less protection than other firewall plugins against reals threats.
Avoiding security solutions that engage in FUD like Wordfence Security does seems like a good idea.