Login

Patchstack News

21 Oct 2022

Shield Security’s ShieldPRO Also Falsely Claimed that WordPress Plugin Contains Vulnerability

So far this week we have covered both iThemes Security Pro and Wordfence Security falsely claiming that WordPress plugins contained vulnerabilities, which we became aware of through our monitoring of the WordPress Support Forum for discussions of new vulnerabilities in plugins. These seems to be a fairly widespread problem with WordPress security providers, as today yet another instance of it came up. This time with ShieldPRO from Shield Security.

A topic was created yesterday claiming that a WordPress plugin named Admin Menu Editor contained a vulnerability: [Read more]

19 Oct 2022

iThemes Security Pro is Providing Customers Inaccurate Information on Vulnerabilities in WordPress Plugins

A reoccurring issue we see with information on vulnerabilities in WordPress plugins is that inaccurate information is being provided to webmaster’s and then the sources of that inaccurate information are not the ones having to deal with the fallout of that. Take this recent forum topic for the plugin Advanced Contact Form 7 DB (Advanced CF7 DB) , which included a message coming from the paid iThemes Security Pro service claiming that there was a “known” vulnerability in the latest version of the plugin, version 1.9.1. Here is the message:

SEPT 30: Known issues in Advanced Contact form 7 DB v1.9.1 [Read more]

12 Oct 2022

Two Weeks On, Automattic’s WPScan and Patchstack Haven’t Warned About Vulnerability Impacting 600,000+ WordPress Websites

How WordPress security companies market themselves and what they actually deliver are often far apart. Unfortunately, WordPress and security journalists are failing to provide critical coverage that would warn people about what is going on.

As an example of what is happening, take Automattic’s WPScan, which as can be seen by their Twitter banner image, claims that with them with you would “be the first to know about new WordPress vulnerabilities” [Read more]

10 Oct 2022

WordPress, Automattic’s WPScan, Patchstack, and CVE Make Mess of Unfixed Vulnerability in WordPress Plugin

The two most recent support forum topics for the 30,000+ install WordPress plugin Kraken.io Image Optimizer are about a claimed security vulnerability in the latest version of the plugin:

[Read more]

30 Sep 2022

WP Cerber Competitors Automattic and Patchstack Also Spread False Claim of Vulnerability in the Plugin

Earlier in the week, we detailed what looks to be going on with the closure of the popular WordPress security plugin WP Cerber on WordPress’ plugin directory. What seems like it could have started the closure was a claim made by a competing plugin, Wordfence, of a vulnerability in the plugin.

Here is how Wordfence described the issue: [Read more]

13 Sep 2022

Only Six WordPress Security Plugins Protected Against Exploitation of Zero-Day Vulnerability in BackupBuddy

Last week the developer of one of the most popular WordPress security plugins, iThemes Security, disclosed that another of their plugins, BackupBuddy, had recently had a zero-day vulnerability. That is a vulnerability being exploited by a hacker before the developer is aware of it. One of the implications of that is that keeping a website’s plugins up to date won’t always protect websites from being hacked through vulnerabilities in them. So this is the type of situation where a security plugin, like iThemes Security, could provide protection beyond keeping plugins up to date. If any security plugins should be able to do that, it should be iThemes Security if you believe their marketing, as they claim it is the best:

The Best WordPress Security Plugin to Secure & Protect WordPress [Read more]

17 Jun 2022

Clearing Up Some Claims Made About the Remote Code Execution (RCE) Vulnerability Fixed in Ninja Forms

Two days ago, WPScan described a vulnerability fixed in the WordPress plugin Ninja Forms the day before this way:

The plugin does not validate merge tags provided in the request, which could allow unauthenticated attackers to call any static method present in the blog. One from the plugin in particular could allow for PHP Object Injection when a suitable gadget is also present on the blog. Attackers have been exploiting such issue since June 9th, 2022 [Read more]

7 Jun 2022

Only Two WordPress Security Plugins Prevented Exploitation of Vulnerability in Security Plugin WP Cerber

Security plugins for WordPress are supposed to help protect websites from being hacked, but not only do most of them not do a good job of that, they often introduce security vulnerabilities of their own. Like most vulnerabilities in WordPress plugins, the security vulnerabilities in security plugins often are not too serious. That wasn’t the case with a vulnerability disclosed in February involving the security plugin WP Cerber, which has 200,000+ active installations according to WordPress.

The vulnerability, credited to Krzysztof Zając, allowed an attacker to cause malicious JavaScript to be loaded on one of the plugin’s admin pages. That is a type of vulnerability that hackers have been known to exploit. Troublingly, but in line with the plugin itself having such a serious vulnerability, the developer didn’t disclose in the changelog or their website that there had been a vulnerability or that it had been fixed. [Read more]

25 May 2022

600,000+ Install WordPress Plugin WP Statistics Isn’t Properly Securing Its Optimization Functionality

Yesterday the JVN released a vague report claiming that a cross-site scripting (XSS) vulnerability had been fixed in version 13.2.0 of the WordPress plugin WP Statistics. There isn’t enough information provided to confirm that there was a vulnerability or that it was fixed.

Confusingly, one of our competitors, Automattic’s WPScan, is citing that report as the source for a claim that a vulnerability was fixed in version 13.2.2 of the plugin: [Read more]

24 May 2022

Patchstack Claims “Vulnerability” in WordPress Plugin With 600,000+ Installs Was Fixed Despite No Changes Being Made

Partly because of the large number of false reports of vulnerabilities in WordPress plugins being put out by our competitors, we now put more focus on claims of vulnerabilities in plugins used by our customers. So once at least one of customers started using the plugin GA Google Analytics, our systems notified us we needed to review a report put out by one of the aforementioned competitors, Patchstack, last year on a claimed authenticated persistent cross-Site scripting (XSS) vulnerability the plugin.

The report is credited to “m0ze (Patchstack Red Team)”, so this was something coming directly from Patchstack, instead of just something they copied from somewhere else. [Read more]