Login
29 Jan 2025

WordPress Plugin Developers Directing Vulnerabilities Reports To Patchstack Doesn’t Signal They Take Security Seriously

Earlier in the week, we talked about how the developers of a security solution were failing to show the WordPress community (and their wider audience) that their scores were providing a meaningful and useful measure of security. We also talked about a WordPress security provider, Patchstack, was once again being dishonest. While preparing that latter post, we noticed they made this case for plugin developers having vulnerability reports directed away from them to Patchstack:

Having a VDP security program is a signal to your users that you take security seriously and your software is trustworthy.

There are two serious problems with that.

The first is that if you are taking security seriously, you wouldn’t want a third party to have access to information about vulnerabilities in your plugins before you do. It is such an incredibly bad idea that it is hard to believe it is even happening. It is something that the CEO of Patchstack has indirectly admitted was unethical. And it is a strong signal that you don’t care about security, not that you take it seriously.

The other is that the actual results, show unsurprisingly based on all that, that developers who are involved in that don’t care about the security of the software. We have covered that over and over. Just last week, we noted a developer in the program is using two outdated known vulnerable libraries in their plugins. We reached out to the developer after we were alerted to that by an automated tool, but we haven’t received a response in over two weeks and the library hasn’t been updated.

The page the Patchsatck quote comes features a testimonial from Elementor:

“We highly recommend Patchstack to other companies looking to enhance their security posture. For us, Patchstack is a true partner in our security efforts, and we're more than satisfied with their services.” Miriam Schwab Head of WordPress Relations

That would be the Elementor who still hasn’t fixed a security issue we reported to them a year ago. Another instance of that issue was part of what led to an exploited vulnerability in the plugin that we caught in 2022. In between those two situations, Patchstack disclosed a vulnerability that hadn’t been fixed in the plugin.

No related posts.

Plugin Security Scorecard Grade for Patchstack

Checked on March 5, 2025
D

See issues causing the plugin to get less than A+ grade

Leave a Reply

Your email address will not be published.