As of June 10th, the security company Wordfence, which provides security software to protect WordPress websites, has been authorized by MITRE as a CNA, or CVE Numbering Authority. With this authorization, Wordfence can now assign Common Vulnerabilities and Exposures (CVE) IDs for vulnerabilities within WordPress, WordPress plugins and WordPress themes. WordPress powers a significant portion of the web, making it an extremely attractive target to threat actors.
“As the Wordfence Threat Intelligence team continues to produce groundbreaking WordPress security research, Wordfence can more efficiently assign CVE IDs prior to publicly disclosing any vulnerabilities that our team discovers. This means that a CVE ID will be immediately assigned with every vulnerability we discover rather than waiting for an assignment from an external CNA.”
As a company focused on securing WordPress, Wordfence not only provides security products but actively reviews the source of WordPress Core, plugins and themes for vulnerabilities as well. Their blog regularly details vulnerabilities and their assigned CVE ID after working with the authors until the vulnerability has been sufficiently remediated. Now a CNA, Wordfence hopes that researchers will reach out to them to have vulnerabilities quickly validated, assigned a CVE ID and remediated.
“As the original researcher, you receive the CVE ID and public credit for your discovery. You will also receive thanks from the users and community that you have protected through your responsible disclosure. Please reach out to us and we will be happy to assist.”
Analyst Notes
Wordfence has been a trusted organization, reporting and assisting to remediate vulnerabilities with WordPress for quite some time. Although previous blogs could be published while awaiting CVE ID authorization knowing that one would be granted eventually, the same may not have been possible for lesser-known organizations or independent researchers. Authorizing a new CNA with a specific focus should allow researchers to have their findings validated much more quickly than before while still retaining credit for their work. To report a vulnerability with WordPress, WordPress plugins or WordPress themes, researchers can now contact [email protected] with details on the vulnerability, a proof of concept, the scope (core, plugin, theme), version number(s), names of those who wish to receive credit (if not staying anonymous), and any other information that may be relevant to the vulnerability.
