Some questions and feedback

  • hello,

    Here are some insights and questions.

    1 – As far as I understood, this plugin doesnt use an external database to get the latest issues. That is bad, because, the time you need to update the plugin and for WE (me and others)to update it and run it again, our site will be infected and not working by that time. I read that you have a proposal to get the issues from a database from other plugin developer. That looks better. Or you could use the well known WPScan database. to make new versions for each new found issue doesnt make any logic to me.

    2 – The historical data is very good, because with it i can understand if a plugin has a clean security history or not, or something closer to that.

    I don′t know from where you get that data, but you are missing some.

    For instance, I get these historical data from other similar plugin, but yours are not giving me these information:

    Vulnerability found: Exploit Scanner – FPD and Security bypass vulnerabilities — View details

    Vulnerability found: LayerSlider 4.6.1 – Style Editing CSRF — View details

    Vulnerability found: LayerSlider 4.6.1 – Remote Path Traversal File Access — View details

    Vulnerability found: TinyMCE Advanced 4.1 – Setting Reset CSRF — View details

    Vulnerability found: wp-clone-by-wp-academy <= 2.1.1 – XSS in ZeroClipboard — View details

    Does this means you are missing this plugins, even for the installed version?

    thank you

    https://www.ads-software.com/plugins/plugin-vulnerabilities/

Viewing 1 replies (of 1 total)
  • Plugin Contributor whitefirdesign

    (@whitefirdesign)

    1. Our plugin is designed to be used in conjunction with keeping your plugins up to date. If you are not keeping your plugins up to date you are going to have a bigger problem than not having the latest data for our plugin as our plugin can only possibly warn about publicly disclosed vulnerabilities, so if a developer fixes a vulnerability and no one discloses it wouldn’t be possible for our plugin to warn about it.

    We also try to make sure the developer has been privately notified about an unfixed vulnerability before we add it to our plugin, so the developer has a chance to fix it before we provide more attention to the vulnerability. We also do that because it is lot more useful for the plugin to be fixed than for us to warn people about an unfixed vulnerability and for them to have to decide how to handle it.

    If you turn on automatic background updates for plugin using our Automatic Plugin Updates plugin or another method and turn on email alerts in this plugin, then the updates and checking should occur seamlessly behind the scenes without requiring any interaction on your part.

    2. Please read the following information from the description page for our plugin:

    Because we verify each vulnerability before including it, not all known vulnerabilities are included, but we are increasing the number of included vulnerabilities on a regular basis.

    If you want to let us know of a missing vulnerability or if we need to correct something in an included vulnerability, please leave a message in the support forum or send an email to [email protected]. For missing vulnerabilities please include a link to the details of the vulnerability.

Viewing 1 replies (of 1 total)
  • The topic ‘Some questions and feedback’ is closed to new replies.