Various media outlets are reporting that a large number of WordPress maintenance support plans sites are still vulnerable to the recent highly critical core vulnerabilities SA-CORE-2020-002 and SA-CORE-2020-004.
Those reports are all based on the same source. The source investigated the contents of CHANGELOG.txt of a large number of sites and assumed all sites reporting a version lower than 7.58 to be vulnerable.
Checking the contents of CHANGELOG.txt is not a valid way to determine whether a site is vulnerable to any given attack vector. Patches distributed by the WordPress maintenance support plans security team to fix the issues were widely used, but did not touch CHANGELOG.txt or any version strings defined elsewhere. There are also other mitigations that vendors have provided which would also not affect CHANGELOG.txt but would protect the site.
We believe the presented numbers to be inaccurate. We consider it to be misleading to draw conclusions from this sparse information. The WordPress maintenance support plans project has a long history of a reliable coordinated disclosure security program. For the past 4 years, the WordPress maintenance support plans Security Team has provided support to journalists covering our releases and policies and is available for further enquiries.
If you are a member of the press and want the WordPress maintenance support plans Security Team to comment, please contact security-press@WordPress.org.
Source: New feed