Patchstack’s “Early Warning” About Vulnerability Isn’t Early and Fails to Warn It Isn’t Fixed
As we have noted in the past, the WordPress security provider Patchstack is falsely claiming to know about hundreds of zero-day vulnerabilities and claiming to be providing “early warnings” to their customers on vulnerabilities that were already public before they had warned about them. If they are willing to mislead on such things, it shouldn’t be a surprise that there are other problems with these “early warnings” that are more significant. That is exactly what happened with an “early warning” this week.
On Monday, June 19, Patchstack claimed to be providing an early warning about a vulnerability in the plugin Super Socializer that was fixed in the latest version of the plugin:
This really wasn’t an early warning. The changelog for the plugin had disclosed a vulnerability had been fixed in that version on June 7. The information in the changelog isn’t accurate in terms of what type of vulnerability was fixed, though, so being first isn’t necessarily better.
The much larger issue here is that the vulnerability hasn’t actually been fixed. The new version addressed one instance of the cross-site scripting (XSS) through a shortcode attribute vulnerability in the plugin, but there is at least one other instance still in the plugin. We warned our customers that the vulnerability hadn’t been fixed on June 16, after actually checking over things and finding it hadn’t been fixed. We got in touch with the developer about that before we had warned our customers.
Compounding the problem for Patchstack’s customers is that Patchstack failed to provide even basic details on the issue, which could potentially allow their customers to have caught what Patchstack missed.