Patchstack is Falsely Claiming a “High Severity” Vulnerability Exists in a WP Plugin Based on Inaccurately Copied Info From Wordfence
Providing accurate information on vulnerabilities in WordPress plugins can require a lot of work, but doing the work avoids causing false alarms for users of plugins and for the developers of them. Unfortunately, security companies can cut corners, claim to do things they don’t, and still get treated as if their information is reliable. Patchstack is a prime example of that, they run with wildly inaccurate information, as we will get to the latest example of in a second, but get promoted in the WordPress space, by the likes of the WP Tavern (which refused to run a reply refuting information in the linked post).
One of the things we do to keep track of vulnerabilities in WordPress plugins for our customers is monitoring for relevant topics on the WordPress Support Forum. That sometimes leads to us finding that hackers are exploiting an unfixed vulnerability, and it often leads to us seeing how much inaccurate information is being spread by other providers.
Here is a message from that forum today:
According to Patchstack, there is a high severity vulnerability in this plugin: https://patchstack.com/database/vulnerability/drag-and-drop-multiple-file-upload-contact-form-7/wordpress-drag-and-drop-multiple-file-upload-pro-contact-form-7-standard-plugin-2-11-0-reflected-cross-site-scripting-vulnerability?_a_id=110
I’m using the free version of the plugin and I’m currently running on version 1.3.6.7, which seems to be the latest available version (and not 2.11.0 which Patchstack states). Is this a false alarm or how can I update my current version?
Patchstack markets their data with this claim:
Hand curated, verified and enriched vulnerability information by Patchstack security experts.
So surely the information is at least in the ballpark of right?
The Patchstack page mentioned in that forum post has this message:
This early warning is available to Patchstack users and partners 48 hours before public disclosure.
In reality, the information is very incorrectly copied from another data provider, Wordfence, so this isn’t an early warning before public disclosure.
Wrong Plugin
When comparing Patchstack’s information to Wordfence’s on the claimed vulnerability, there are some significant differences.
The most important is that Wordfence claims the vulnerability is in the plugin Drag and Drop Multiple File Upload PRO, Patchstack is claiming it is in Drag and Drop Multiple File Upload – Contact Form 7. Those are different plugins from the same developer. They didn’t just get the name wrong, though, the plugin’s slug is wrong too. The correct slug is drag-n-drop-upload-cf7-pro. They list it as drag-and-drop-multiple-file-upload-contact-form-7.
We could probably stop there, since Patchstack clearly didn’t verify this, since they did so little work they didn’t would have even looked at the right plugin, assuming they even did that. But let’s go on, because there is more very wrong here.
Wrong Severity
Patchstack provides this description of what they claim is a cross-site scripting (XSS) vulnerability:
WordFence discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Drag and Drop Multiple File Upload – Contact Form 7 Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.
If you head over to Wordfence’s information, though, they are claiming that it is a reflected XSS vulnerability. With that type of vulnerability, JavaScript code included in user input to the website will be output. So a guest visiting the website with that input sent with the request would be impacted. Patchstack’s description sounds like it is referring persistent XSS. It seems like Patchstack is conflating very different types of XSS vulnerabilities for whatever reason, which is rather odd and isn’t something we are aware of anyone else doing.
Patchstack claims this is a high severity vulnerability:
Reflected XSS vulnerabilities are not close to being a high severity.
The severity scoring system that Patchstack uses, CVSS, is not something that should be used since it provides misleadingly high severity scores for WordPress plugins. Those scores are at least supposed to be non-subjective, so the same score should be provided for it elsewhere, and yet Wordfence claimed it was only medium severity:
Wrong Discoverer
Going back to Patchstack’s description we quoted before, they said that “WordFence discovered and reported” the vulnerability. Wordfence doesn’t say that, though. They don’t list a discoverer all. If you follow the only reference Wordfence provided, which it seems like Patchstack should have, you find it is a changelog for the plugin and it says this for the relevant version of the plugin:
Fixes – Security Updates (Reflected Cross-Site Scripting reported by : WPScan Security)
So the credited discoverer is another security provider.
There is no indication that Wordfence did anything other than look at the changelog and repeated the claim that a vulnerability was fixed. That would certainly match up with what we have seen in plenty of instances. For example, in one instance, they claimed the same vulnerability had been fixed twice despite not being fixed.
That’s A Wrap
To sum this up, Patchstack has copied information from someone else who in turn copied information from a changlog. Certainly Patchstack didn’t verify this as they claim to do. Beyond that, Patchstack made the claimed vulnerability seem like it was much more serious than it was. Finally, Patchstack didn’t even get the plugin right.
It would be great if the WordPress community didn’t promote companies scamming people like Patchstack does, but the community these days seem to be incapable of that.