Patchstack, cPanel, and Plesk Falsely Claimed Fixed Vulnerability in WordPress Plugin Hadn’t Been Fixed
Among the many problems caused by the WordPress security industry is plugin developers having to deal with false claims that plugins are vulnerable. An example of that involved not just a WordPress security player, but two major names in the web hosting industry that are relying on unreliable data for a security solution.
Last week a topic on the WordPress support forum started this way:
I received an email from our web host as follows:
Just a heads-up that you may want to address this vulnerability in your site. …
The following vulnerabilities need your attention because they have to be addressed manually:
WordPress Ivory Search plugin <= 4.7 – Authenticated Persistent Cross-Site Scripting (XSS) vulnerability
I am on version 5.2. Was the issue addressed in the recent upgrade?
Someone else replied with this:
Got this error message on version 5.2. Would like to find out if this is addressed too. I have just upgraded to 5.3.
The developer replied, noting that the vulnerability had already been fixed and asking for the source of that.
Based on the information already provided, we could see that the original source of the information was from one of our competitors in providing information on vulnerabilities in WordPress plugins, Patchstack.
As of at least a few days before that topic, they were telling people this about the vulnerability:
Deactivate and delete. This plugin has been closed as of November 1, 2021 and is not available for download. This closure is temporary, pending a full review.
That wasn’t true at the time. We should know, as not only had we discovered the vulnerability being referenced, but we had confirmed for our customers that it had been been fixed on November 4.
Patchstack clearly doesn’t do the same monitoring we do to check if issues have been resolved and also doesn’t avoid claiming that vulnerabilities still exist in a plugin without confirming it, as we also do, to avoid situations like this. That requires more work on our end, but avoids causing problems like this for our customers and plugin developers.
The problem here, though, doesn’t just involve Patchstack, but other entities that are relying on their data despite its known inaccuracy and the company’s dishonesty.
A couple of the follow up replies in the topic shed more light on who else was involved here:
Hi Vinod,
Weirdly my version was 5.2 and I just upgraded to 5.3 today. The email stated the same information as the original poster’s but I got the email yesterday from our cpanel WHM. What information do you need me to provide you? So I can send it over.
Here is the information on the email received:
`WordPress Toolkit has detected known vulnerabilities on WordPress sites under your care. It is strongly recommended to update or disable vulnerable assets on these sites. You can also configure WordPress Toolkit to perform automatic actions when vulnerabilities are detected.
Site VulnerabilityThe following vulnerabilities need your attention because they have to be addressed manually:
WordPress Ivory Search plugin <= 4.7 – Authenticated Persistent Cross-Site Scripting (XSS) vulnerability
Automatic actions can be defined on the site autoupdate policy screen.
The system generated this notice on Tuesday, December 28, 2021 at 11:04:40 AM UTC.`
The WordPress Toolkit mentioned is something that is provided by both cPanel, referenced there, and Plesk. Those two web hosting control panels are now owned by the same company.
The Plesk version of that is marketed with this:
Secure Against Attacks
Hardens your site by default, further enhanced with the Toolkit’s security scanner. No security expertise necessary.
It is hard to square that with requiring people to figure out whether claims that plugins contain vulnerabilities are true or not.