Security alerts are supposed to make systems safer.
But sometimes they do something else: they quietly consume hours of engineering time investigating issues that turn out to be exaggerated or practically unexploitable.
Recently, I spent a full day triaging one such vulnerability report. The alert flagged a serious issue in a WordPress plugin—an Unauthenticated Local File Inclusion (LFI) vulnerability.
That phrase alone is enough to get any security engineer’s attention.
But after a detailed investigation, the reality turned out to be very different.
This post walks through what happened, why the alert looked convincing, and what we actually found when we examined the code.