Login

Patchstack News

7 Sep 2023

WPMU DEV and Their Partner Patchstack Didn’t Handle Security Vulnerability in 400,000+ Install Plugin Well

WPMU DEV is a WordPress plugin developer that we have noted in the past hasn’t been handling security well despite being a security provider. They offer the Defender plugin, which WordPress says has 90,000+ installs. WPMU DEV claims that the pro version of that has 300,000+ installs. If you head to the homepage for the pro version right now, they claim to provide “reliable WordPress security”, which is powered by Patchstack:

[Read more]

27 Jul 2023

WordPress Security Providers Delaying Vulnerability Disclosures Doesn’t Stop Hackers From Figuring Them Out

This week we have been covering a mess that started with the developers of the Freemius library not properly handling a security issue we reported to them last year. Instead of addressing the issue at the time, they put out a post criticizing and lying about what had gone on. They wrote this about us warning about the vulnerabilities after they had released an incomplete fix (without giving us a chance to review the changes first):

Unlike last time, we didn’t even try to ask the reporter to remove the article as we’ve learned it’s a waste of time and our request can only backfire on us. Instead, we politely tried to understand the reasoning behind the unexpected disclosure to assess if/how we could avoid it in the future. [Read more]

26 Jul 2023

Patchstack Causes Developer of 600,000+ Install WordPress Plugin to Release Phantom Security Update

In February of last year, we tried to work with the developer of the Freemius library, which is widely used in WordPress plugins, to address a number of security issues that came up during a security review of a plugin using it. Instead of them working with us, they incompletely addressed the issues on their own. We told them that the fix was incomplete, but they didn’t address things. Earlier this month they were claiming in a blog post that we did “not cooperate” with them in that situation, despite linking to a post about the previous situation where they stated they went “into a ‘silent mode’ and ke[pt] interactions to a minimum”. Also earlier this month, they finally addressed an issue we had warned them about at the time. That has led to a mess for developers and users of plugins using the library (and some not even using it). That mess includes the developer of a plugin with 600,000+ installs to have to release a phantom security update to stop Patchstack from falsely claiming the plugin was still vulnerable.

While Patchstack has caused problems for various developers in this situation (and many others), Freemius is claiming that it is “a security company that truly cares about website security and works with you in full cooperation and coordination”. [Read more]

20 Jul 2023

Wordfence Falsely Claims It Has to Rely on Inaccurate Plugin Vulnerability Data from Patchstack

On an unfortunately too regular basis, we are finding that vulnerabilities that were supposed to be fixed in plugins being used by our customers haven’t been fully fixed and in some cases haven’t been fixed at all. That is the case with a vulnerability that was recently supposed to have been fixed in the 200,000+ install plugin Ultimate Member. In looking into that, we ran across several other problems involving competing data providers that are not being honest about their data and its sourcing.

In our recent monitoring of possible discussions about plugin vulnerabilities in the WordPress Support Forum, we have seen a Wordfence employee claiming that Wordfence doesn’t have control over their own plugin vulnerability data. Here was one instance of that: [Read more]

7 Jul 2023

Patchstack Claims to Be Security Point of Contact for WordPress Plugin It Made Up Vulnerability About

Recently Automattic’s WPScan claimed that the WordPress plugin Scripts n Styles had contained an admin+ stored XSS vulnerability that they explained this way:

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) [Read more]

30 Jun 2023

NinjaFirewall and Plugin Vulnerabilities Firewall Are Only WordPress Security Plugins That Protected Against Recent Zero Day

Among the common, but inaccurate, security advice you will hear is that WordPress won’t get hacked if you take basic security measures, including keeping plugins up to date. While doing the basics is really important, the reality is that keeping plugins up to date does nothing to stop a zero-day, a vulnerability being exploited before the developer is aware of it. That is an area where a security plugin could provide additional protection. But just because they could, it doesn’t mean they will. More problematically, WordPress security plugin developers have for years claimed to provide zero-day protection when they don’t. The solution is to do testing to see which plugins really provide protection against zero-days.

Recently, a zero-day role change vulnerability in the 200,000+ install WordPress plugin Ultimate Member was spotted being exploited by the web host Tiger Technologies. That vulnerability was being exploited to create a new WordPress user and then change the user’s role to Administrator, which gives them full access to the website. [Read more]

21 Jun 2023

Patchstack’s “Early Warning” About Vulnerability Isn’t Early and Fails to Warn It Isn’t Fixed

As we have noted in the past, the WordPress security provider Patchstack is falsely claiming to know about hundreds of zero-day vulnerabilities and claiming to be providing “early warnings” to their customers on vulnerabilities that were already public before they had warned about them. If they are willing to mislead on such things, it shouldn’t be a surprise that there are other problems with these “early warnings” that are more significant. That is exactly what happened with an “early warning” this week.

On Monday, June 19, Patchstack claimed to be providing an early warning about a vulnerability in the plugin Super Socializer that was fixed in the latest version of the plugin: [Read more]

9 Jun 2023

Automattic’s WPScan, Wordfence, and Patchstack Don’t Appear to Have a Basic Grasp of What Vulnerabilities Are

Recently Automattic’s WPScan claimed that there had been what is normally a fairly serious type of vulnerability in a WordPress plugin. That being, as they put it, an “unauthenticated stored XSS” vulnerability or, as we would put it, a persistent cross-site scripting (XSS) vulnerability. That would allow an attacker not logged in to WordPress to cause JavaScript code they crafted to run for other visitors of the website. Depending on where that would run, that could, among other things, be used to cause malware to be included on front end pages of the website or code that causes users logged in to WordPress as Administrators to take action they didn’t want to happen. Both of those are things that hackers have been known to try to do on a wide scale.

Here is their description of the issue: [Read more]

5 May 2023

Another Instance of CVE’s CNA Mess Leading to Multiple CVE Records for One Vulnerability

The About page for the CVE program starts with a claim that the program creates one CVE Record for each vulnerability:

The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. [Read more]

3 May 2023

Awesome Motive’s Easy Digital Downloads is Still Lacking Basic Security Despite Contrary Claim by Patchstack

Most days we see what appears to be a hacker probing for the usage of a single WordPress plugin with a recently disclosed vulnerability through a single request for a file on each of our websites. Yesterday, we saw them doubling up both on the files they were requesting and the IP addresses being used. The plugin they were looking for was Easy Digital Downloads. It wasn’t hard to guess why, as Patchstack had disclosed how to exploit a serious vulnerability that had been fixed the day before. While reviewing this, we found that there are still security issues that run counter to a central claim made by Patchstack.

Before we get to that, it’s important to note who the developer of the plugin is. That is Awesome Motive. That would be the Awesome Motive that has a chief security officer (CSO) who is also the “security reviewer” on the team running the WordPress Plugin Directory. That would be the Awesome Motive that took two months to fix a publicly known vulnerability in a plugin with 3+ millions installs. They frequently acquire existing WordPress plugins, which is how they came to be the developer of this plugin. The vulnerability that was fixed was introduced six months after they had acquired the plugin. [Read more]