Patchstack Apparently Didn’t Take Basic Step to Get Unfixed Exploitable Vulnerabilities Fixed Before Disclosing Them
Last week WordPress security provider Patchstack disclosed what they claimed was an unfixed exploitable vulnerability in a WordPress theme and one in a related WordPress plugin. We say claim, because some of the information they provided appeared on its face to be very wrong. Early in the post, they wrote that “code that handles user input didn’t have any authorization or nonce check.” Code that handles user input doesn’t necessarily require authorization or a nonce check. For example, doing a search on a WordPress based website doesn’t require either of those things, despite involving user input. A more salient point is they then promptly showed the code and that not only contained a nonce check, but even had a comment about it, “First check the nonce, if it fails the function will break:”
Patchstack claimed to have made at least two attempts to contact the “vendor”, on September 23 and January 16. It isn’t clear if the “vendor” refers to the developer to theme and plugin or the marketplace they are available from, though it seems the former. The marketplace it is available on is Envato’s ThemeForest. If you don’t get a response from a developer, you should next reach out to the marketplace (assuming they don’t have a track record of not responding properly). That would be more important when you are claiming that a vulnerability allows a “user to increase their privileges and take over the WordPress site by performing a series of HTTP requests”
Envato’s information on reporting security issues in their marketplaces is a web search away and they provide a form to report issues.
We reached out to Envato about this on Thursday morning. They responded early yesterday, saying in part, “I just wanted to let you know that we’re investigating this potential vulnerability and to also thank you for taking the time to let us know about it.”
We also reached out to the developer on Thursday, but we haven’t heard back from them.
Today, a new version of the theme was released with a changelog entry that reads “Improved – Security by patching vulnerabilities highlighted by Patchstack.” Since we dont’ have a copy of the theme or plugin we can’t check of their current status. (If someone has access, get in touch with us, so that we can vet them.)
So it seems that Patchstack didn’t bother to contact Envato before disclosure, creating unnecessary security risk, but getting more attention for themselves.
Multiple supposed journalists ran with this with reaching out to developer or Envato for their side of the story, that includes Bill Toulas at the Bleeping Computer and Sead Fadilpašić at TechRadar.