Login

Tag Archives: Dan Knauss

6 Dec 2023

Contrary to Claims by Patchstack and Wordfence the Gutenberg Plugin Doesn’t Contain an Authenticated XSS Vulnerability

Recently there have been conversations popping up over a claim made by the WordPress security provider Wordfence that claims the Gutenberg plugin contains an authenticated persistent cross-site scripting (XSS) vulnerability. On Reddit there were a couple of recent conversations, where unsurprisingly, there wasn’t helpful information being provided. Things have been slightly better on the WordPress support forum for the plugin, but still you had alarmist information. One topic is titled, “Security breach and vulnerability in all versions.” Wordfence in turn, is citing Patchstack when making this claim. The reality is that there isn’t a vulnerability, something the WordPress security team told the original source of the claim, but which Wordfence and Patchstack have ignored.

While Wordfence and Patchstack are both claiming that this is an issue with the Gutenberg plugin, that isn’t what the original source they are citing says. Their post is titled
“CVE-2022-33994:- Stored XSS in WordPress” and they start it this way: [Read more]

24 Apr 2023

iThemes (SolidWP) and Patchstack Requiring Their Customers and Plugin Developers to Fix Their Inaccurate Data

Recently, iThemes (which is being rebranded as SolidWP) and their partner, Patchstack, have been incorrectly labeling that a 100,000+ install WordPress plugin, Download Manager, contained an unfixed vulnerability. The problem stems in part to confusion with a claim that vulnerability had been in Download Manager Pro and also from Patchstack’s data not properly listing which versions of a plugin are vulnerable (this isn’t the first time recently there has been this combinations of problems). Incredibly, once this was brought to iThemes attention by one of their customers, their response was not for them to fix this, but to tell the customer that the plugin developer had to get in touch with Patchstack to address this:

Since the one you’re using is the free version (3.2.70), but it is still being flagged as vulnerable by the Site Scanner, I recommend reaching out to the plugin developers for the possibility of updating the reflected information on Patchstack. [Read more]