Not all security vulnerabilities are exploitable in the real world. Through Astra’s history, if there was a significant security issue, all users were notified. However, not all security issues are exploitable, and it serves no purpose to email all our users to give them false alarms, so if there is something serious, they no longer take it serious. This is currently an issue with the top security companies because they know the average user will not understand that not all security issues are equal, and you do more harm notifying about every little thing via email. It creates a numbness.
The way we handle our change log is always to mention that the update includes a security-related improvement, but not to give specifics. It’s unwise to list specifics which essentially gives potential hackers a blueprint. The proper procedure is to release an update that mentions security (which we did), give site owners time to update (which we are doing), and then the reporter (in this case WordFence) will in 60 days publicly disclose the discovery.
In this case, as you see from the WordFence report, the only way to exploit this is for someone to already have an account on the WordPress site with elevated privileges. Do you know how many of these security updates require admin privileges already to be exploited? From experience, many. So they are not all equal.
That said, we take all security reports seriously and act promptly. In this case, we had the improvement done the same day that WordFence reported it to us privately.
Also, don’t forget, the main reason we get reports is that we publicly offer a generous bug bounty program. This is not common for WordPress theme/plugin developers, but we take security very seriously and have never had a serious security issue after all these years.
