Patchstack

29 Jan 2025

WordPress Plugin Developers Directing Vulnerabilities Reports To Patchstack Doesn’t Signal They Take Security Seriously

Earlier in the week, we talked about how the developers of a security solution were failing to show the WordPress community (and their wider audience) that their scores were providing a meaningful and useful measure of security. We also talked about a WordPress security provider, Patchstack, was once again being dishonest. While preparing that latter post, we noticed they made this case for plugin developers having vulnerability reports directed away from them to Patchstack:

Having a VDP security program is a signal to your users that you take security seriously and your software is trustworthy. [Read more]

27 Jan 2025

Patchstack Apparently Didn’t Take Basic Step to Get Unfixed Exploitable Vulnerabilities Fixed Before Disclosing Them

Last week WordPress security provider Patchstack disclosed what they claimed was an unfixed exploitable vulnerability in a WordPress theme and one in a related WordPress plugin. We say claim, because some of the information they provided appeared on its face to be very wrong. Early in the post, they wrote that “code that handles user input didn’t have any authorization or nonce check.” Code that handles user input doesn’t necessarily require authorization or a nonce check. For example, doing a search on a WordPress based website doesn’t require either of those things, despite involving user input. A more salient point is they then promptly showed the code and that not only contained a nonce check, but even had a comment about it, “First check the nonce, if it fails the function will break:”

[Read more]

27 Jan 2025

Patchstacks’s Vulnerability Disclosure Program (VDP) Goes Against Important Requirements of EU’s Cyber Resilience Act

In October, the European Union approved the Cyber Resilience Act (CRA) after two years of development. It seems well thought out, probably best shown with the authors understanding the harm that security providers’ own bad security often creates. Unfortunately, in the run up to passage, WordPress and others had tried to portray it as having negative effects on open source software (while also providing a misleading portrayal of security handling at WordPress). That is, despite it actually requiring for-profits entities taking advantage of open source software being required to help secure it. Also, unfortunately, an unscrupulous WordPress security provider is trying to mislead the WordPress community as what the act entails to continue harmfully directing vulnerability reporting away from developers.

That provider being Patchstack, here is how it mentions complying with the CRA through them on a page on its website about their vulnerability disclosure program (VDP): [Read more]

22 Jan 2025

Plugin That Patchstack Is Claimed to Ensure Is Secure Contains an Additional Outdated Known Insecure Library

Last week we talked about two popular WordPress plugins that had been run through our Plugin Security Scorecard and identified as containing a rather out of date version of third-party libraries, which according to the libraries developers, contained a security issue. The libraries in question were different in the plugins, but it turns out they also have another library in common, where they are both using outdated known insecure versions. One of those is the 1+ million install SVG Support, where someone reported to the developer at the end of October that it was also using an outdated and known insecure version of the library DOMPurify. There still hasn’t been an update to the plugin to address that. More people have been reporting that issue. After seeing that, we started looking in to adding a check for DOMPurify to our Plugin Security Checker. Through that, we found a couple of fairly popular plugins are also still using older versions that the developer of the library is insecure.

We contacted the developer of one of those yesterday to let them know about the problem. The version they are using is subject to issues that were publicly disclosed by the developer of the library in September and October. There are not any topics on the support forum for the plugin about that, which is interesting considering the other plugin had multiple people reported it to the developer. [Read more]

17 Jan 2025

300,000 Install WordPress Plugin That Hasn’t Updated Insecure Library in 21 Months Claims Patchstack Ensures the Plugin is Secure

A week ago, someone checked the 300,000 install WordPress plugin FluentSMTP through our Plugin Security Scorecard. That identified multiple issues with the plugin:

[Read more]

16 Dec 2024

Wordfence and WPScan Falsely Claim Closed WordPress Plugin Contains Serious Vulnerability

We are currently looking in to yet another problem with handling of security by Awesome Motive and the Security Reviewer from the WordPress Plugin Review Team. In doing that, we ran across another example of the incredible sloppy work done by prominent providers of data on vulnerabilities in WordPress plugins.

In January, the WordPress plugin SimpleMap Store Locator was closed on the WordPress Plugin Directory for an unspecified “security issue.” [Read more]

12 Nov 2024

A WordPress Plugin Vulnerability Might Have a Fix Even if Security Providers Say That One Doesn’t Exist

Last week, we had someone contact us about addressing an unfixed vulnerability in a WordPress plugin. In taking a quick look at that, we found the vulnerability had been fixed over three years ago. So why was this person asking about that now? Well, it turned out in part, that the security provider Patchstack, as is often the case, didn’t vet the information they simply copied from another provider.

Based on the name they used for the vulnerability, we could determine that Patchstack is the original source for this person’s information. Whether they got it directly from Patchstack or from someone in turn using their data, we don’t know. If you look at Patchstack’s listing for the relevant vulnerability, they don’t provide even basic information about the vulnerability. But they did say that it hadn’t been fixed and was in version 4.7 of the plugin. [Read more]

25 Oct 2024

WP Tavern’s Nathan Wrigley Highlights Duo of Companies Handling Security Badly as Example of Providing Better Security Outcomes

A new legal filing from lawyers representing Matt Mullenweg claims that he loves the WordPress community. That is hard to square with so much of what he does. For more than a decade, he has run a WordPress news outlet that fails to follow the basic journalistic standard of disclosing when the news outlet is covering the owner of the news outlet and related parties. That news outlet being the WP Tavern, which is also included in the WordPress news feed that he controls without a disclosure of the situation either. In addition to the news coverage, the WP Tavern has a podcast done by Nathan Wrigley. He isn’t someone who has shown any concern for the accuracy of what he covers. The latest podcast episode shows that off.

Before we get in to the podcast episode, let’s step back in time to April 2022. That month, hackers started targeting a vulnerability in the very popular Elementor plugin. The vulnerability allowed arbitrary code to be run on the website by anyone logged in to WordPress with any user role that had access to the admin area of WordPress. Normally anyone logged in to WordPress has access to the admin area. That vulnerability was caused in part by Elementor failing to implement a very basic security check to make sure only a user with an intended capability could access functionality. Another part of the cause was that Elementor was leaking a security nonce to users that shouldn’t have had access to it. [Read more]

18 Oct 2024

WordPress Plugin Vulnerability Data Providers Are Failing to Warn About Unfixed Vulnerability In WordPress’ Latest Canonical Plugin WPGraphQL

On Wednesday of last week, we posted that WordPress’ latest canonical plugin WPGraphQL contained a vulnerability because the developer had failed to update a third-party library included in the plugin in 18 months. We contacted the developer to alert them of that earlier the same day. We have yet to hear back from them and the plugin, as well as two other plugins from the same developer with the same issue, has yet to have a new version released to fix the vulnerability. We asked WordPress if they were going to take over the plugin like they did Advance Custom Fields to address that. We haven’t received any response.

Our customers have been warned about that vulnerability, but those relying on other providers for WordPress plugin vulnerability data are still in the dark. Those getting data from provider other than us are almost always ultimately getting it from one of three providers. One is owned by Automattic, which is the new employer of the developer of WPGraphQL. That provider, WPScan, isn’t warning about this: [Read more]

12 Sep 2024

Patchstack’s CEO Indirectly Admits Their Vulnerability Disclosure Program (VDP) Program is Unethical

Earlier this year when we were trying to figure how to contact the developer of Kadence Blocks plugin, which is a part of StellarWP, to alert them they had failed to fix a vulnerability in the plugin, we found their website had a page titled, “Responsible Security Disclosure Policy for KadenceWP.” That first paragraph of the page starts out by saying, “it is a standard practice in security research to responsibly and privately disclose discovered vulnerabilities to the software vendor prior to public release. This is even more critical when we work together to protect users in an open source space such as the WordPress community.” That sounds reasonable enough. (Responsible disclosure isn’t necessarily all that responsible, but that is an issue for another day.)

From there, they offer to help get the contact information for developers whose solutions extend theirs: [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Patchstack News