Login

Patchstack News

28 Feb 2023

You Need to Make Sure Proof of Concepts for Vulnerabilities in WordPress Plugins You Use Have Been Tested

Are you relying on a security provider to warn about vulnerabilities in WordPress plugins you use? Are you not testing out the proof of concepts for those vulnerabilities because the security provider claims they are verifying things for you or because you don’t have the capability to do that? If you answered yes to both of those, we have bad news for you, as many of those providers are not doing that testing either, leaving websites vulnerable running still vulnerable plugins and hackers with a info on how to exploit them. A recent example of that involves a plugin with 20,000+ installs where most data providers recently claimed that there was a known vulnerability in the plugin that had been fixed, despite the proof of concept contradicting that.

Here was the original source of the claim, Automattic’s WPScan, making it (and claiming they had verified their information): [Read more]

14 Feb 2023

Hacker Looking for Usage of 10Web WordPress Plugin That Contains Type of Vulnerability That Hackers Target

In June 2021, the WordPress security provider Patchstack announced that they were partnering with WordPress plugin provider and web host 10Web. Patchtack claimed that they and 10Web were working together to “help strengthen the WordPress ecosystem.” It was a curious claim at the time, considering that 10Web was at that very time failing to fix a vulnerability they knew about in two of their plugins with 320,000+ installs. (One of those plugins has now been closed on the WordPress Plugin Directory since June 2022 because of a “Security Issue.”) The partnership hasn’t led to 10Web’s plugins getting more secure.

In July of last year, the plugin 10Web Booster was introduced on to the WordPress Plugin Directory. If you believed 10Web’s marketing, you would believe that the plugin would have been properly secured: [Read more]

8 Feb 2023

WordPress Security Plugins Don’t Prevent Disclosure of One-Time Password Through Exploited Plugin Vulnerability

A month ago, we saw a hacker looking to exploit a vulnerability that had recently been fixed in the WordPress plugin User Verification. That vulnerability discovered by Lana Codes involved the plugin’s functionality to email a one-time password for logging in to WordPress. The problem with the functionality is that it didn’t just email the password, it also sent it back as part of the response from the request to have it emailed. So an attacker could submit the request to have that emailed for a WordPress user’s account, get the password that was only supposed to be emailed, and then log in to that account.

Trying to prevent an information disclosure issue like this would be difficult for a WordPress security plugin without being aware of the particular vulnerability, as it would have to realize that something that shouldn’t be disclosed is being disclosed, so it would be unlikely that a security plugin would provide protection. Our own firewall plugin, Plugin Vulnerabilities Firewall, doesn’t have protection against such a situation, but we are always looking to see how we might be able to expand its protection, so we were curious to see if any other plugins provided protection. [Read more]

31 Jan 2023

Hacker Might Be Exploiting Unfixed Plugin Vulnerability That WPScan, Patchstack, and Wordfence All Claimed Was Fixed

In a now deleted review of the WordPress plugin Beautiful Cookie Consent Banner, someone made the claim that the plugin is insecure and leading to malware:

The plugin is full of malware. Check your source code and run a security check. If you have malware, its this plugin!!! [Read more]

30 Jan 2023

WordPress Security Community’s Poor Results on Display With Failed Fix of Vulnerability in 3+ Million Install Plugin MonsterInsights

A couple of weeks ago WordPress security provider WPScan, which is controlled by the head of WordPress Matt Mullenweg, claimed that an authenticated persistent cross-site scripting (XSS) vulnerability involving its Inline Popular Posts block had been fixed in the latest version, 8.12.1, of the 3+ million install plugin MonsterInsights:

[Read more]

5 Jan 2023

Providers of WordPress Plugin Vulnerability Data Not Actually Verifying if Vulnerabilities Are Fixed

Recently, three ostensibly competing data providers for information on vulnerabilities in WordPress plugins all claimed that a vulnerability had been fixed in a certain version of the plugin Super Socializer.

Here was WPScan, the original source for the claim: [Read more]

4 Jan 2023

Two Weeks Later WordPress Hasn’t Taken Action With WordPress Plugin That Loaded Malicious JavaScript

Anyone who has spent much time trying to use WordPress’ support forum and the connected plugin review system knows that the moderators of that often get in the way and causing unnecessary problems (as well other troubling behavior, including deleting unflattering information about a company they promote). At the same time, they don’t take action when there is something they could help with. That is the case involving the 8,000+ install WordPress plugin Bulk Delete Comments. Two weeks ago, a one-star review was left with a concerning claim:

This plugin might be hacked or it is shady on way or another because it have started to slow down wordpress when including a an inclusion of javascript located at: alishahalom.com [Read more]

23 Dec 2022

Patchstack’s Unlisted Zero-Days Are Actually Vulnerabilities Already Covered by Competitors

Yesterday, we published a post about Patchstack’s false claim to know about hundreds of undisclosed zero-days, which, if true, would be a very serious issue. Instead, the “zero-days” are “Vulnerabilities reported to us which we are still processing and will be published soon.”, which turns out to mean less than even that makes it sounds like.

When we were writing that post, they were claiming to have 45 vulnerabilities that they would be publicly publishing “after a 48 hour delay”: [Read more]

22 Dec 2022

Patchstack Doesn’t Know About Hundreds of Undisclosed Zero-Days

Recently, we noted that the WordPress security provider Patchstack was marketing their service with a misleading claim to be providing “early alerts and protection”, where in one instance, they were only aware of a vulnerability two weeks after it was fixed and after it had been publicly disclosed by a competitor, and in another, the “vulnerabilities” involved the attacker already having control of the website. Since then, they removed that marketing claim, but switched to another highly inaccurate claim in its place.

Zero-day vulnerabilities are serious vulnerabilities, not only because they are vulnerabilities that a hacker is exploiting, but because the developers are not aware of them when they start to be exploited, so simply keeping software up to date won’t protect you from them. Those do exist in WordPress plugins. With what appear to be a recent one, Patchstack had failed to warn about even after it was disclosed. [Read more]

7 Dec 2022

Patchstack Isn’t Verifying Vulnerability Info Being Copied From WPScan’s Inaccurate Data

Yesterday, we noted that the WordPress security provider WPScan isn’t verifying claimed vulnerabilities being added to their data set, despite claiming to do just that. That came in the context of them claiming that there was a vulnerability in a plugin, where what they claimed was at issue wasn’t really a vulnerability, but there really was a more serious vulnerability. That wasn’t a one-off issue.

WPScan recently claimed that the plugin Popup Maker had contained an admin+ stored cross site scripting vulnerability, which they described this way: [Read more]