Title: Old/irrelevant vulnerability warnings Last modified: October 5, 2022 --- # Old/irrelevant vulnerability warnings * Resolved [Peter M.](https://wordpress.org/support/users/inveress/) * (@inveress) * [3 years, 6 months ago](https://wordpress.org/support/topic/old-irrelevant-vulnerability-warnings/) * Hi, it seems like the new unpatched vulnerability feature might be triggering invalid and/or outdated vulnerability warnings. * I’ve received warnings about vulnerabilities in Happy Elementor Addons Pro and TablePress on separate sites. In both cases, the CVE links provided went to 404, but when I manually searched CVE and found the vulnerabilities, they were both old and did not apply to the versions of the plugins I have currently installed. * For eg.: * CVE link provided for Happy Elementor Addons Pro vulnerability: [https://www.cve.org/CVERecord?id=CVE-2021-24292](https://www.cve.org/CVERecord?id=CVE-2021-24292) * Correct link to CVE vulnerability: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24292](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24292) * This vulnerability seems to be dated January 2021 and applies to the Pro plugin version 1.17.0, whereas I have the current version, 2.6.0, installed. * Is there any valid reason for these vulnerabilities to be reported now? * Cheers, Peter. Viewing 7 replies - 1 through 7 (of 7 total) * Plugin Support [wfpeter](https://wordpress.org/support/users/wfpeter/) * (@wfpeter) * [3 years, 6 months ago](https://wordpress.org/support/topic/old-irrelevant-vulnerability-warnings/#post-16072151) * Hi [@inveress](https://wordpress.org/support/users/inveress/), thanks for the report on this. * Our Threat Intelligence team has just taken a look at this. The Pro version was reported as “vulnerable < 2.24.0”, instead of the _free_ version. The record now reflects the correct free and premium version affected ranges. * Peter. * [Bob](https://wordpress.org/support/users/boblindner/) * (@boblindner) * [3 years, 6 months ago](https://wordpress.org/support/topic/old-irrelevant-vulnerability-warnings/#post-16072506) * I’m also receiving a few security vulnerability emails that seem wrong. The “ Vulnerability Information” link 404s at cve.org and when I search for the CVE number it’s pretty old. Have received about a dozen from several sites so far including: - The Plugin “TablePress” has a security - The Plugin “Responsive Lightbox” has a security vulnerability. - The Plugin “Ninja Forms – File Uploads” has a security vulnerability. - The Plugin “WP Super Cache” has a security vulnerability. - The Plugin “Admin Columns Pro” has a security vulnerability. * [Ladewig](https://wordpress.org/support/users/ladewig/) * (@ladewig) * [3 years, 6 months ago](https://wordpress.org/support/topic/old-irrelevant-vulnerability-warnings/#post-16077517) * Same issue here. TablePress 1.14 is getting reported as vulnerable because of CVE-2019-20180 which was for TablePress 1.9.2. This only started appearing recently, so something changed. * Thread Starter [Peter M.](https://wordpress.org/support/users/inveress/) * (@inveress) * [3 years, 6 months ago](https://wordpress.org/support/topic/old-irrelevant-vulnerability-warnings/#post-16077612) * Thanks [@wfpeter](https://wordpress.org/support/users/wfpeter/). Is the general issue here that vulnerabilities are raised in CVE and then never closed off, resulting in old problems being seen as ‘current’? * Tobias, the author of TablePress, for example, did not attend to the TablePress CVE vulnerability as he did not see it as a problem with TablePress specifically( and he’s correct, I think, if I understand the issue correctly). I assume this would mean the “vulnerability” will never be “fixed”, as far as CVE is concerned. Would this mean that we’ll be continaully warned about it? * Thanks, Peter. * [Ladewig](https://wordpress.org/support/users/ladewig/) * (@ladewig) * [3 years, 6 months ago](https://wordpress.org/support/topic/old-irrelevant-vulnerability-warnings/#post-16080409) * The 2019 CVE says that it applies to TablePress versions up to and including 1.9.2. Why would Wordfence invoke a CVE for a version that is newer than the affected versions in the CVE? * [adriansanduws](https://wordpress.org/support/users/adriansanduws/) * (@adriansanduws) * [3 years, 6 months ago](https://wordpress.org/support/topic/old-irrelevant-vulnerability-warnings/#post-16085680) * This is starting to be anoying. For 3 years now there was no issue, but now WF decides TablesPress 1.14 has a critical vulnerability, although the CVE says it’s upto v1.9.2. - This reply was modified 3 years, 6 months ago by [adriansanduws](https://wordpress.org/support/users/adriansanduws/). * Plugin Support [wfpeter](https://wordpress.org/support/users/wfpeter/) * (@wfpeter) * [3 years, 6 months ago](https://wordpress.org/support/topic/old-irrelevant-vulnerability-warnings/#post-16088174) * Hi [@inveress](https://wordpress.org/support/users/inveress/), * The Tablepress plugin does have an active risk of a CSV Injection. All versions are vulnerable including 1.14. Our team is in contact with the developer and has explained the inherent risks of the vulnerability. The vulnerability is ** not critical** as it has a very low chance of being exploited but it is still a valid security issue. It’s Wordfence’s job to alert our users to these vulnerabilities. We don’t try to guess if those users might be compromized as a result of the vulnerabilities or not. * When an old vulnerability has been patched, we only warn when the customer is using that version of the plugin to advise that they should update. If a plugin does have a CVE ID issued, we’re not the entity that decided it was a valid vulnerability but will alert our customers to it. * Thanks, * Peter. Viewing 7 replies - 1 through 7 (of 7 total) The topic ‘Old/irrelevant vulnerability warnings’ is closed to new replies. * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865) * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/) * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq) * [Support Threads](https://wordpress.org/support/plugin/wordfence/) * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/) ## Tags * [scan](https://wordpress.org/support/topic-tag/scan/) * 11 replies * 5 participants * Last reply from: [wfpeter](https://wordpress.org/support/users/wfpeter/) * Last activity: [3 years, 6 months ago](https://wordpress.org/support/topic/old-irrelevant-vulnerability-warnings/#post-16088174) * Status: resolved