Wordfence Isn’t Disclosing They Are Copying (Possibly Inaccurate) Plugin Vulnerability Information From Competitor Patchstack
Less than a month ago, we noted that one provider of data on vulnerabilities in WordPress plugins, Automattic’s WPScan, was copying information from competing providers, including Wordfence, without credit. It turns out that Wordfence is doing the same with another competitor.
Yesterday a topic was started on the support forum for a plugin about a warning of a vulnerability from the Wordfence Security plugin. The users of Wordfence Security were not given helpful information on the claimed issue by Wordfence, as can be seen by this comment from one of them:
But I can’t make much sense out of where WordFence sends us:
It is easy to understand why they said that, as the linked page contains no useful information. Instead, you get told this:
So that couldn’t be Wordfence’s real source. So where did they really get the information from? From a competitor.
The actual source of the information is Patchstack. Though their listing isn’t all that helpful, as the “details” provided are:
Auth. Stored Cross-Site Scripting (XSS) vulnerability discovered by Muhammad Daffa (Patchstack Alliance) in the WordPress Backup Guard plugin (versions <= 1.6.8.8).
You can’t confirm there is a vulnerability or if it has been resolved without more information than that.
Another piece of information provided makes it sound like there really isn’t a vulnerability, as according to them, exploitation “[r]equires high role user authentication like admin.” If they mean an Administrator, an attacker with that level of access can already do the equivalent of the claimed vulnerability, no vulnerable plugin needed. So Wordfence might also incorrectly claiming there is a vulnerability.
Plugin Security Scorecard Grade for Patchstack
Checked on March 5, 2025See issues causing the plugin to get less than A+ grade