Patchstack’s Severity Scores Continue To Be Highly Misleading
To help our customers better understand the risk posed by a vulnerability in a WordPress plugin, we provide a rating of how likely the vulnerability to be exploited. Other security providers provide what turns out to be a much less useful metric, a severity score.
One company that continues to provide an example of the decided lack of value of those scores is Patchstack. A month we noted an instance where they had given a “vulnerability” a severity score of 7.4 out of 10. We put vulnerability in quotes there, since there wasn’t even really a vulnerability. Even if you wanted to argue there was vulnerability, it was a vulnerability that has to be exploited by an attacker logged in to WordPress as an Administrator. Since they are Administrator, they could already do what was supposed to be the vulnerability, making this not a vulnerability, but even if you want to argue otherwise, how could it be that severe?
If they are giving something that isn’t even a vulnerability that high a score, it probably wouldn’t be surprising that real vulnerabilities can get an even more inflated score. Yesterday we discussed in detail how Automattic’s Jetpack overstated the impact a vulnerability in a plugin and Patchstack jumped on board to give it almost the highest score possible, 9.9 out of 10:
There are several problems there. First off, the vulnerability is incorrectly labeled as a local file inclusion (LFI) vulnerability, when it is an authenticated local file inclusion (LFI) vulnerability. That is an important distinction and Patchstack seems to be aware that is an authenticated vulnerability as they write:
Exploitable by any logged-in users with capability to render shortcodes.
Another is that if you look at Jetpack’s report they write this:
This security flaw could enable attackers to leak sensitive information like database credentials, cryptographic keys, and may allow arbitrary code execution in some instances.
Describing this as leading to remote code execution (RCE) is not really in line with that or an accurate way to describe what is really just a local file inclusion (LFI) issue.
Unless there is something more to this that Jetpack hasn’t disclosed and the developer didn’t indicate that they fixed, then this vulnerability isn’t likely to be attempted to be exploited on any wide scale as the type of vulnerability it really is. We say that based on years of experience with both dealing with hacked WordPress websites and monitoring exploitation attempts of WordPress plugins. We said “as the type of vulnerability it really is” because hackers have frequently tried to exploit local file inclusion (LFI) vulnerabilities as if it was another type, arbitrary file viewing. They try to exploit it to view the contents of the WordPress configuration file, which doesn’t work because the file being included, which causes the code in it to run, not its contents shown.
A vulnerability that is unlikely to be exploited on a wide scale seems like it shouldn’t warrant the second highest possible severity score and giving it that leaves little room for differentiating between different severities of vulnerabilities likely to have exploit attempts.
What might drive security companies to provide these scores despite their lack of usefulness is that the companies can get coverage from security news outlets for them, as Patchtack did recently:
The vulnerability has yet to receive a tracking number but its severity score has been calculated at 8.2 out of 10 by Patchstack, a company that protects WordPress sites from plugin vulnerabilities.
Unfortunately, security companies and security journalists have a symbiotic relationship that often is detrimental to goal of helping people make better informed decisions on security.