Two Weeks On, Automattic’s WPScan and Patchstack Haven’t Warned About Vulnerability Impacting 600,000+ WordPress Websites
How WordPress security companies market themselves and what they actually deliver are often far apart. Unfortunately, WordPress and security journalists are failing to provide critical coverage that would warn people about what is going on.
As an example of what is happening, take Automattic’s WPScan, which as can be seen by their Twitter banner image, claims that with them with you would “be the first to know about new WordPress vulnerabilities”
Or Patchstack, which claims with them you will be “notified instantly when there is a new security vulnerability present on any of your sites”:
In both cases, the claims are widely off the mark for multiple reasons.
One of them is that the services do not detect vulnerabilities, instead they alert people if they have an installed version of a WordPress plugin the company believes to have contained a publicly disclosed vulnerability. So before they would be warning about a vulnerability, someone would have to have discovered it. That means that for them to warn their customer about vulnerabilities, the vulnerability has already been on their websites. It also means that someone else would already know about it before the websites are being warned. The companies behind these services know this, but they don’t appear to see a problem with misleading their customers.
Another problem with the claim is that both of them don’t actually do the work to keep up with what vulnerabilities are out there, so they fail not only to warn about known vulnerabilities, but fail to warn when they haven’t been fixed.
Two weeks ago the developers of the WordPress plugin NextGEN gallery, which has 600,000+ installs, released an attempted fix to a cross-site request forgery (CSRF) vulnerability in the plugin. That was vaguely disclosed by the developer with the changelog for the new version:
Fixed: Added nonce verification to some legacy XHR handlers.
As we detailed the same day, the developer had incompletely addressed the issue. We notified the developer of the incomplete fix the same day. A week later, they released an update that fully addressed the problem. This time though, they didn’t disclose there was a security fix at all, as this was the changelog:
Fixed: Rotating images was broken for some users after the last release.
Based on the marketing, you would expect that WPScan would have warned about this at least two weeks ago, but their most recent listing of a vulnerability in the plugin is from 2021:
It’s the same story with Patchstack:
Better Protection
In this situation, those services have done nothing to protect their customers. By comparison, WordPress’ built-in capability to automatically update plugins would have promptly provided some protection against the vulnerability after the first update and full protection after the second.
The full protection only came because we had reviewed the incomplete fix, which we only do for plugins being used by our customers. So for those looking for protection beyond then updating, they should look for a service that will check if security vulnerabilities are actually being fixed. As we have documented in the past, both WPScan and Patchstack don’t actually do that, despite claiming otherwise.
The best protection against vulnerabilities in a WordPress plugins would be to get a security review of the plugin done, as that, unlike Patchstack’s service, would detect security vulnerabilities that are in the plugin.
Plugin Security Scorecard Grade for NextGEN Gallery
Checked on May 17, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Patchstack
Checked on March 5, 2025See issues causing the plugin to get less than A+ grade