Patchstack’s Unlisted Zero-Days Are Actually Vulnerabilities Already Covered by Competitors
Yesterday, we published a post about Patchstack’s false claim to know about hundreds of undisclosed zero-days, which, if true, would be a very serious issue. Instead, the “zero-days” are “Vulnerabilities reported to us which we are still processing and will be published soon.”, which turns out to mean less than even that makes it sounds like.
When we were writing that post, they were claiming to have 45 vulnerabilities that they would be publicly publishing “after a 48 hour delay”:
As of writing this the number was down to 14:
As we monitor claimed vulnerabilities coming from Patchstack so that we can warn our customers about any plugin vulnerabilities that affect them (after confirming that there really is a vulnerability and what the actual status of the vulnerability is), we checked over the new entries. What we found was that all the new entries are ones copied from competitors.
Looking closer at one entry, it seems unlikely that this even involves vulnerabilities being reported to them, after it was reported to someone else. Instead, they just appear to be copying the information from other providers and then claiming to know about zero-days, which this entry clearly didn’t involve.
If Patchstack verified the claims before adding them, there would be value in that, but considering they don’t even do that with their own claims, that seems unlikely. With the entry we looked closer at, they copied something from Wordfence that Wordfence in turn copied from a changelog entry. That is a problem. As we recently discussed, Wordfence clearly isn’t verifying the information they are adding to their data set in that type of situation, as they claimed an unfixed vulnerability had been fixed twice.
Patchstack also claims to provide paying customers early protection from the “zero-days”, but with the entry we looked closer at, there was already a claimed fix before the source Patchstack copied the information from knew about it, so the early protection is actually late protection over keeping plugins up to date.