Patchstack Didn’t Provide Early Alert and Protection For Vulnerability Likely Being Targeted by Hacker
WordPress security providers often make extraordinary claims about their services, which not only couldn’t be true, but even to the extent they could deliver something reasonably close to it, they fail to do that. The service Patchstack makes this claim about what they deliver:
Be notified instantly when there is a new security vulnerability present on any of your sites.
If they really had technology to deliver on that, it would be really impressive, but they don’t. Instead they are warning about vulnerabilities after they are already known about. So someone has to discover the vulnerability and then Patchstack might warn about or they might not. That is not only very different, but it matters how quickly they do that and the quality of that information. The marketing claim allows them to ignore addressing those things.
On Monday, we noted how they are now claiming to provide “early alerts and protection” for vulnerabilities to their customers, but one of those early alerts was really warning about a vulnerability after it had been publicly disclosed by a competitor and had been fixed a couple of weeks before.
What we also noted on Monday was that two other security providers, WPScan and Wordfence, had failed to warn so far about a vulnerable WordPress plugin that appears to have been targeted by a hacker over the weekend. Because of Patchstack’s hiding recent additions to their data for 48 hours, we were unable to check to see if they had delivered what those providers didn’t.
It has now been over 48 hours since we publicly warned about the vulnerability likely being targeted. So even if Patchstack simply copied our information and wasn’t doing the type of monitoring we do to catch situations like that, that should be in their public data. So has Patchstack publicly warned about the vulnerability and claimed to offer protection for it yet? No. They currently don’t list any vulnerabilities as having existed in the plugin.