Patchstack’s Early Alert For WordPress Plugin Vulnerability is Actually Public Info Copied From Competitor
There is often a wide gap between the claims of WordPress security providers and reality. That has often been the case with Patchstack going back to its precursors, WebARX and ThreatPress.
This week Patchstack started promoting that it is providing “early alerts and protection” for vulnerabilities to their customers:
You can look over our past coverage of Patchstack to get a better idea of the low quality of the vulnerability information they are providing, so that doesn’t seem all that meaningful. Looking at one of these early alerts makes things seem even worse.
Here is an “early alert” from today:
You can see some of the low quality of their information on display there, as they describe the plugin as being “vulnerable to Other Vulnerability Type “. What?
Considering they don’t appear to know anything about the vulnerability, it seems hard to believe they are offering protection against it.
That is a vulnerability they only started warning about after a competitor of theirs, NinTechNet publicly warned about it. Worse still, NinTechNet says it was fixed two weeks ago:
The issue was reported to the developers on October 05, 2022 and a new version 3.9.7 was released on November 14, 2022.
So Patchstack isn’t early in alerting or protecting against this. Keeping your WordPress plugins up to date would have addressed it well before Patchstack could have offered protection, according to NinTechNet’s information.
We should note they are not the only ones not being all that accurate about the vulnerability, as Automattic’s WPScan is claiming that it is an “Arbitrary Settings Update to Stored XSS” vulnerability, despite NinTechNet’s information clearly stating you need to be logged in to exploit this:
