WPScan, a security company that maintains a database of WordPress vulnerabilities, has been officially designated as a CVE (Common Vulnerability and Exposures) Numbering Authority (CNA). The company joins 151 organizations from 25 countries that participate in the CVE Program as CNAs. These organizations are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities within their own distinct scopes of work, contributing to CVE’s list of records for publicly known security vulnerabilities.
WPScan’s scope includes WordPress core, plugin, and theme vulnerabilities. The company has catalogued more than 21,905 vulnerabilities since 2014 in its database, which it makes available to the community through an API. That API is also used by the WPScan Security Scanner plugin, which is installed on 5,000+ websites.
Being designated as a CNA helps WPScan better manage WordPress vulnerabilities by assigning them unique IDs that are recognized across the industry.
“Asking MITRE to assign CVEs for each of our vulnerabilities would have been too time consuming in the past,” WPScan founder and CEO Ryan Dewhurst said. “Although some security researchers will go through this process directly with MITRE, we didn’t due to the volume of vulnerabilities we have to manage. And security researchers only requested them themselves very rarely. The new process means that we ourselves can assign CVE numbers directly to vulnerabilities. This will result in many more WordPress related vulnerabilities being assigned CVE numbers.”
WPScan is a team of three security researchers who come from penetration testing backgrounds and have worked within security consulting for the past 10 to 15 years. The company started with a simple Ruby script in 2011, which identified vulnerabilities in self-hosted WordPress sites. For the past two years, Automattic has sponsored the company’s efforts in maintaining the database, as WPScan has transitioned to become a sustainable business by selling access to its API.
Dewhurst said the company’s customers include “some of the biggest security plugins and hosting companies in the world,” but many of them don’t advertise the fact that use a third-party to source the vulnerabilities. Most of WPScan’s enterprise customers are security plugins, companies, and hosts that integrate data from the vulnerability database into their own products and services.
“Our business is doing well,” he said. “Right now we are trying to find the right balance between being a business and making money, while also benefiting the community as much as possible.”