Login
31 Jan 2025

Patchstack Admits to Failing to Basic Due Diligence With Vulnerability Reports, Which Leads to Vulnerabilities Remaining Unfixed

Last May, we looked into a claim from Automattic’s WPScan that a vulnerability in the 400,000+ install WordPress plugin Kadence Blocks had been fixed in its implementation of WordPress blocks. They provided little information and didn’t show any evidence the issue had been resolved. There was the further problem that the changelog for the version they claimed the issue was fixed in had no mention of a security fix. We did find the proof of concept they provided stopped working in that version. But we also found that there was plenty of code related to the issue that was still not properly secured. We confirmed that at least one instance was still vulnerable.

Before warning our customers about that, we attempted to work with the developer, StellarWP, to address that. On the website of their Kadence brand, there is a page on responsible disclosure that starts this way (emphasis ours):

Kadence is proactive in preventing security issues and our software products go through rigorous evaluation with security in mind prior to release. In the event that you believe you have found a security issue, we look forward to working with you in order to create an effective fix. To protect the community of software users, it is a standard practice in security research to responsibly and privately disclose discovered vulnerabilities to the software vendor prior to public release. This is even more critical when we work together to protect users in an open source space such as the WordPress community.

A little further down the page, they say this:

There are many third party developers that are building solutions on top of the Kadence Blocks plugin and the Kadence theme. If you believe you have found an issue with one of these third party offerings, we can likely assist in helping you find contact information for those developers if needed so that you can establish a secure communication channel for resolution.

Right after that, the page goes off track as they tell you to report security issues to a third-party:

Where do I report security issues?

The following products are handled through Patchstack’s managed Vulnerability Disclosure Program.

Kadence Theme
Kadence Blocks
Kadence Blocks Pro

Not only a third-party, but a third-party that is trying to profit off of vulnerabilities in WordPress plugins.

The contradiction between saying to report issues to the developer and saying to report them to someone else is explained by the fact that the last section we quoted was inserted in to the page later on. (Here is how the page previously read.)

Among the problems with doing handling vulnerabilities that way, is someone clearly didn’t bother to properly vet the vulnerability we had just reviewed and seen that the issue wasn’t resolved.

We raised those issues with Kadence, but the conversation went nowhere. Even the now incoherent state of the page still hasn’t been addressed.

Patchstack Admits to Not Doing Basic Due Diligence

While doing some research for another post, we came across Patchstack admitting in a FAQ item that they are not doing this needed vetting:

I got a report for the same type of vulnerability but affecting different parameters. Why was it not mentioned in the first report?

When validating the reports, we do not conduct a full-scale code review and focus only on reported issues. Check all parameters/inputs on your software that can be affected by the same reported vulnerability and try to patch them immediately.

That is a stunning admission to make. To go back to the Kadence Blocks example, the plugin is still exactly as exploitable as it was before, despite WPScan (and Patchstack) claiming it was fixed. So we are talking about a failure to do basic due diligence there.

Why would Patchstack fail to do that? There are multiple explanations for that. One, they have long track record of being scammers. A 2021 review of their firewall (under their previous name, WebARX) being a good example of that. Another is that they heavily promote themselves around how many vulnerabilities they claim to be taking credit for. So from their perspective, not making sure a vulnerability is fully fixed and instead turning it to multiple vulnerabilities is a positive, even though it leaves their customer vulnerable and unaware they are vulnerable.

Related posts:

  1. WordPress Continues to Fail to Properly Address Malicious Code Loaded on Thousands of Websites
  2. WordPress Plugin Developers Directing Vulnerabilities Reports To Patchstack Doesn’t Signal They Take Security Seriously
  3. Patchstacks’s Vulnerability Disclosure Program (VDP) Goes Against Important Requirements of EU’s Cyber Resilience Act

Plugin Security Scorecard Grade for Kadence Blocks

Checked on January 23, 2025
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Patchstack

Checked on March 5, 2025
D

See issues causing the plugin to get less than A+ grade

Leave a Reply

Your email address will not be published.