Login

Patchstack News

23 Dec 2021

GoDaddy (Though Sucuri) Spreads Misinformation About Recently Fixed Vulnerabilities in All in One SEO

A month ago, GoDaddy was in the news after announcing a data breach of information for customers using their managed WordPress hosting service. What was lacking in the coverage of that is that GoDaddy owns a major web security provider, Sucuri. It seems like if a web host owns a major security provider they should have a good handle on security, not fail to handle the basics, as the breach showed.

For those knowledgeable about security, the apparent incongruity really wasn’t surprising, since Sucuri has always been run by people that don’t seem to have much grasp on security. That could be seen again in a post earlier this week about vulnerabilities recently fixed in a popular WordPress plugin, All in One SEO. [Read more]

22 Dec 2021

Wordfence Security and Wordfence Premium Fail to Provide Protection Against Possibly Exploited Plugin Vulnerability

The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:

Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. [Read more]

21 Dec 2021

Patchstack Continues to Overstate Size of Their Database Despite Dropping Claimed Size for 2021 by 35%

Last month we noted that a couple of WordPress news outlets had repeated what appear to be clearly false claims made by one of WordPress security provider Patchstack. It should go without saying that a security company that isn’t honest is a big deal. We have run across a further claim from Patchstack that disputes the previous claim they made, while still appearing to be false.

On November 5, the WP Tavern ran a story by Justin Tadlock that included this claim about the number of vulnerabilities in Patchstack’s database for this year: [Read more]

3 Dec 2021

Customers of WPScan and Patchstack Were Far From the First to Know About Exploited Plugin Vulnerability

Last week looked at an instance where the Wordfence Security plugin and Wordfence Premium service failed to provide protection against a WordPress plugin vulnerability until four days after it was publicly discussed that the vulnerability had already been exploited. That is despite the Wordfence Premium service being marketed with the claim that it provides “real-time protection” and competing firewalls plugins having delivered protection ahead of that. What we guessed might have explained why they belatedly responded in the situation draws in two other security companies in the WordPress space, not appearing to even try deliver on how they market their services.

With one of our competitors in providing data on WordPress plugin vulnerabilities, the WPScan Vulnerability Database (now owned by Automattic), they claim at the top of their homepage that with their service you will “[b]e the first to know about vulnerabilities affecting your WordPress website”: [Read more]

29 Nov 2021

WP Tavern’s Justin Tadlock Won’t Address Lack of Due Diligence With False Claims from Patchstack

Earlier this year we ran across claims from the web security company Patchstack that a bug bounty program they were running, which they were misleadingly market as a “red team”, was finding an extraordinary amount of vulnerabilities in WordPress plugins.

In May, for example, they claimed that there were 292 vulnerabilities found and that one of the submitter found 149 vulnerabilities and another found 101 vulnerabilities. Both the total and individual numbers sounded hard to believe based on our experience, both collecting up data on vulnerabilities in WordPress plugins and discovering vulnerabilities. [Read more]

23 Nov 2021

No WordPress Security Plugin Stopped Exploitation of Vulnerability That Disables Them

Last week, GoDaddy’s web security subsidiary Sucuri released a strange post about some WordPress websites being hacked. The post discussed a situation involving what they confusingly described as both “bogus” and “legitimate” WordPress plugin. The plugin, Directorist, had multiple security vulnerabilities fixed the day before that post was released, which might explain the hacking being mentioned in the post. Though, Sucuri was attributing it to compromised login credentials, despite their post indicating they hadn’t done basic checking that should have been done before making that attribution.

While reviewing the changes being made to the plugin, we noticed that among the vulnerabilities fixed in that new version, 7.0.6.1, were ones that would have allowed an attacker logged in to WordPress to deactivate or delete arbitrary plugins. [Read more]

22 Nov 2021

Microsoft, Cyber Security Works, and Patchstack Don’t Understand a Basic Element of Security

Recently a security company we had not heard of before, named Cyber Security Works, released a report on a claimed stored cross-site scripting vulnerability that had been in the WordPress plugin Microsoft Clarity. The report is a mess.

They list the “affected vendor” as “WordPress 5.8.1”, while the actual vendor is Microsoft. [Read more]

3 Nov 2021

Patchstack’s Vulnerability Database Isn’t “Hand curated, verified and enriched WordPress vulnerability information”

When it comes to data on vulnerabilities in WordPress plugins, what we have seen is that data sources other than us are often not doing basic verification. At its most serious, that leaves people thinking that they are using a secured version of a plugin, while still being vulnerable. If those data sources and others that reuse their data were upfront about that, it would be problematic, but they don’t even do that.

Take the Patchstack Vulnerability Database, which has replaced the WPScan Vulnerability Database in a lot of places once the latter source started limiting free access. It is marketed with the claim that it is: [Read more]

5 Aug 2021

Patchstack’s Severity Scores Continue To Be Highly Misleading

To help our customers better understand the risk posed by a vulnerability in a WordPress plugin, we provide a rating of how likely the vulnerability to be exploited. Other security providers provide what turns out to be a much less useful metric, a severity score.

One company that continues to provide an example of the decided lack of value of those scores is Patchstack. A month we noted an instance where they had given a “vulnerability” a severity score of 7.4 out of 10. We put vulnerability in quotes there, since there wasn’t even really a vulnerability. Even if you wanted to argue there was vulnerability, it was a vulnerability that has to be exploited by an attacker logged in to WordPress as an Administrator. Since they are Administrator, they could already do what was supposed to be the vulnerability, making this not a vulnerability, but even if you want to argue otherwise, how could it be that severe? [Read more]

23 Jul 2021

Patchstack Managed to Spread a False Claim of a Vulnerability and Falsely Claim it Had Been Fixed

One of the big problems with keeping up with vulnerabilities in WordPress plugins these days, is that many of the reports of claimed reports of vulnerabilities recently are false reports. If you are getting your data from us, we weed out those reports, but with other data providers they are not only failing to do that, but they are incentivizing more of those reports.

What could explain, in part, the reason why they are including those, beyond inflating the number of vulnerabilities they claim to know about, is that they are not doing the due diligence they should and in one case, claim to be doing. When you don’t do that due diligence there are serious problems, including missing real vulnerabilities that you would have found when checking on a false report and telling people that a real vulnerability has been fixed, when it hasn’t. [Read more]