Patchstack

8 Jul 2021

WPScan and Patchstack Spread False WordPress Plugin Vulnerability Report That Looks Like Satire of False Report

One of the things we provide to customers of our service as part of our data set on WordPress plugin vulnerabilities is information on false reports of vulnerabilities. These days the source of many of those false reports is not who you would expect, as it is the two main other data providers. One of those, WPScan, claims that they are verifying these false reports and the other, PatchStack, is claiming to be providing patches for them. In both cases, what they claim to do flies in the face of them spreading obvious false reports. One of those reports is so bad it reads like it would be someone in the industry attempt at satirizing bad reports, not something being claimed to be real.

The report involves a plugin named Hotjar Connecticator, which was removed from the WordPress plugin directory at the time this report was released. The report was published directly with WPScan: [Read more]

1 Jul 2021

A Month Later, Other WordPress Plugin Vulnerability Data Providers Still Not Warning About Hacker Targeted Plugin With Unfixed Vulnerability

Earlier this week we mentioned that we had warned our customers about easily exploitable vulnerabilities in a WordPress plugin with 400,000+ installs nearly a month before other data providers did. But in that situation they at least were warning before we saw hackers probing for usage of the plugin. With another plugin recently targeted by hackers the situation is worse.

On May 26 we saw what look to be a hacker probing for usage of the WordPress plugin Modern Events Calendar Lite on our website. While there were older vulnerabilities that had been in plugin that might explain a hacker’s interest in that plugin, we checked over the plugin to see if there might be a vulnerability in the current version of the plugin that they could be targeting. Here is what we said at the time about what we found: [Read more]

29 Jun 2021

We Warned About “Easily Exploitable Critical Vulnerabilities” in ProfilePress Nearly a Month Before Other Security Providers

Yesterday Wordfence disclosed vulnerabilities that existed in the WordPress plugin ProfilePress (previously WP User Avatar) that they described as “critical and easily exploitable security issues” that:

made it possible for an attacker to upload arbitrary files to a vulnerable site and register as an administrator on sites even if user registration was disabled, all without requiring any prior authentication [Read more]

25 Jun 2021

Patchstack Claims Medium Severity Vulnerability Existed When Discoverer States Issue Isn’t Real Threat

Yesterday we touched on one recent false report of a vulnerability the WordPress plugin WP Super Cache, but there were additional claimed vulnerabilities that were connected to that. With one of those, one of our competitors, Patchstack, claimed that not only there was vulnerability, but it had a medium severity:

[Read more]

24 Jun 2021

10Web Partners With Patchstack While Leaving Their WordPress Plugins Vulnerable

One of the realities when it comes to security surrounding WordPress is that many companies market themselves as caring about security while not really caring about it. Sometimes they even join forces.

Yesterday we mentioned one security provider Patchstack, in the context of they and their Red Team not having a basic understanding of WordPress security. While looking more into Patchstack we found that last week they announced a partnership with 10Web. The claims made by 10Web in that announcement are in direct conflict with what we have seen from them in trying to work with them to fix a security vulnerability in one of their plugins, and what we have seen of Patchstack. We also found that at least one more of their plugins, with 300,000+ installs, also contains the same vulnerability we have tried to work with them to fix in one of their plugins. [Read more]

24 Jun 2021

The WP Super Cache Vulnerability That Wasn’t a Vulnerability

In March, Search Engine Journal wrote a story about a “vulnerability” the very popular WordPress plugin WP Super Cache, which has 2+ million installs. The issue was described this way:

A flaw was disclosed today that exposes users of WP Super Cache to an authenticated remote code execution (RCE) vulnerability. [Read more]

23 Jun 2021

Patchstack and Their Red Team Don’t Understand Basics of WordPress Security

One long time issue when it comes to collecting data on vulnerabilities in WordPress plugins is that many reported vulnerabilities are not really vulnerabilities. What has recently been an increasing problem though is that these false reports are coming directly from other data providers. One of those providers is Patchstack, which has something called the Patchstack Red Team. That apparently is a bug bounty program, not really a red team (or a team at all), but whatever it is, Patchstack posted a listing to their vulnerability database the other day for the plugin WP Reset that is credited to “m0ze (Patchstack Red Team)”. Looking at the details of that didn’t look promising as to that being a real vulnerability and a quick check of the code confirmed that it wasn’t.

Authenticated Stored Cross-Site Scripting (XSS) in WP Reset

The only details provided about the claimed authenticated stored cross-site scripting (XSS) vulnerability are these two proofs of concepts: [Read more]

21 Jun 2021

WPScan Misses Real Serious Vulnerability in WordPress Plugin Hana Flv Player While Spreading False Claim of Vulnerability

Recently one of our competitors in the WordPress plugin vulnerability space, WPScan, released a report claiming there was an authenticated stored cross-site scripting (XSS) vulnerability in the plugin Hana Flv Player. At first glance it appears like a lot of false reports they include in their data, but further checking showed that while the claimed vulnerability didn’t exist, there was really an even more serious vulnerability in the relevant code. As of our posting this, the plugin is still available in WordPress’ plugin directory despite that.

Their report of an “authenticated stored cross-site scripting (XSS) vulnerability” starts with this past tense claim: [Read more]

11 Jun 2021

WPScan and Patchstack Falsely Claim Vulnerability in WordPress Plugin with 20,000+ Installs Was Fixed

On May 31, 10 Web, the developer of the WordPress plugin Event Calendar WD, which has 20,000+ active installations according to wordpress.org, put out a new version of the plugin which has the changelog:

Fixed: XSS vulnerability. [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Patchstack News