Align Scan Severity with CVSS in Email Alerts

  • Dear Wordfence Team,

    I am a Wordfence user managing multiple websites, and I rely heavily on automated scans with email alerts configured for “High” severity or greater. My goal is to stay informed about critical vulnerabilities while avoiding unnecessary notifications for lower-severity issues.

    However, I have noticed that Wordfence categorizes every vulnerability as “Critical” in its scan results, regardless of the actual CVSS severity level. For example, I recently received an alert for a plugin vulnerability rated 4.9 (Medium) CVSS, which applies only to “Authenticated (Administrator+)” users. While this is noteworthy, it does not warrant a “Critical” designation under typical severity classifications, and I would not expect an email notification when my preferences are set to “High” or greater. This approach results in frequent notifications for low-level vulnerabilities, which dilutes the importance of truly critical alerts. For some time, I believed this behavior was a bug, but I understand now that it is by design.

    Would it be possible to introduce an option to align scan result severity with CVSS ratings or allow users to filter email alerts more precisely based on CVSS levels? This change would significantly improve the relevance of email notifications for users like me who manage a large number of sites.

    Thank you for considering this request, and I look forward to hearing your thoughts.

Viewing 1 replies (of 1 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @frzsombor, thanks for your suggestion.

    I’ll certainly put it forward to the team as all suggestions are discussed, although we can never provide updates or guarantee a feature will make it into the plugin here on the forums.

    I can see your point of view for sure, although we would consider any detected plugin vulnerability as “critical” because our alert severity levels are based on a multitude of issues that could arise with your WordPress site: https://www.wordfence.com/help/dashboard/alerts/

    If you see a vulnerability has been detected and (after investigating the links provided) deem the threat to be low enough not to disable a plugin on your site, that’s your informed decision. As you know, you can reduce the severity level in the plugin that you’re alerted about, but some administrators may consider any perceived threat as good enough reason to disable a plugin. Lowering the threat level may mean they aren’t alerted at all but would be dissatisfied leaving that plugin active had they been aware.

    Many thanks,
    Peter.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.