wp vuln plugin-status reports no vulnerability with known vulnerable plugin

[boyeatssteak]

I apologize if I'm just using this tool wrong, but it appears to have a bug.

I was testing, and attempted wp vuln plugin-status while Contact Form 7 version 4.4.2 was installed. The command returned the proper version number, but indicated there were no vulnerabilities reported.

However, WPVulnDB reports a bug in CF7 that was resolved in 5.0.4.

I believe this likely has something to do with the arguments being passed to the if statement on line 695 of wp-vulnerability-scanner.php:

} elseif ( version_compare( $version, $vuln->fixed_in, '<' ) ) {

... but I'm uncertain of how to properly debug this so I can attempt to fix it myself. I also tested on another old version of plugin with a known vulnerability (NextGen Gallery 2.2.12), but it too reported no vulnerabilities.

Is this an error in my usage, or is this a bug? Thanks!

[rfair404]

I have a similar issue when testing with known vulnerable plugins.

[oscarssanchez]

Thanks for reporting @boyeatssteak , @rfair404 ,

We will take a look at this

[oscarssanchez]

Hi @boyeatssteak @rfair404 ,

I pushed a fix here #39, could you please test this when you have some time ?

Thanks!

[boyeatssteak]

After updating, that seems to have to worked - the columns weren't perfectly aligned, but it at least correctly reported vulnerabilities. Thank you!