Patchstack vs Wordfence WordPress Plugin Vulnerability Data: It’s Largely The Same Inaccurate Data
When it comes to protecting WordPress websites from vulnerabilities in WordPress plugins, one piece of the solution involves being warned if you are using plugins with known vulnerabilities. Doing that well requires doing a lot of work. That is something that two providers, Patchstack and Wordfence, claim to do. Patchstack markets their data this way:
Hand curated, verified and enriched vulnerability information by Patchstack security experts.
Sounds great. Wordfence has made similarly impressive claims, including:
Wordfence Intelligence includes a comprehensive and extremely current vulnerability database for WordPress that contains nearly 7,000 unique vulnerability records. This database is actively maintained by some of the top WordPress vulnerability researchers in the industry.
As part of compiling our own data set, what we have found is that both providers are not doing the work we do, despite claiming they do.
The most recent example of that involved Patchstack claiming that a vulnerability existed in a plugin it didn’t, while claiming that it was fixed in a version of the plugin that didn’t exist. There are plenty of other examples, like that. How about Wordfence claiming falsely that a vulnerability had been fixed twice, because they assumed that the developer claiming it was fixed meant it was fixed, while somehow not realizing it didn’t make sense that it would have been fixed twice in a row. We could go on and on, as we are frequently checking on inaccurate claims made about supposed vulnerabilities in plugins used by our customers by those providers.
A lot of the problems with other providers’ data are of limited concern, since they involve issues that are not even vulnerabilities or they involve real vulnerabilities that would not be exploited. Earlier this year, though, there was a unfixed widely exploited vulnerability that both Patchstack and Wordfence had falsely claimed had been fixed three months before, because they had copied inaccurate data from yet another provider, WPScan.
If you are looking for accurate data on WordPress plugin vulnerabilities, we provide that with our service. Along with expert help dealing with a situation where you are using a plugin that has an unfixed vulnerability and a firewall plugin that provides more protection against zero-days than either Wordfence or Patchstack’s.