Login

Patchstack News

5 Dec 2022

Patchstack Claimed to Provide “Early Alert and Protection” From “Vulnerabilities” Where Attacker Would Already Have Control of Website

Last week, we noted that the WordPress security provider Patchstack’s new “early alerts and protection” from plugin vulnerabilities involved them being weeks behind offering protection that keeping plugins updated would have provided and failing to offer that for a vulnerability likely to be exploited by a hacker. At the end of the week, they put out information on what they claimed were vulnerabilities that had existed in a plugin, Easy WP SMTP, used by at least one of our customers, so we went to check over that. What we found is that they were not vulnerabilities, as the “attacker” would already need to have control of the website, because they would need to be logged in as an Administrator.

One of those was claimed to be an authenticated arbitrary file deletion vulnerability, described this way: [Read more]

30 Nov 2022

Patchstack Didn’t Provide Early Alert and Protection For Vulnerability Likely Being Targeted by Hacker

WordPress security providers often make extraordinary claims about their services, which not only couldn’t be true, but even to the extent they could deliver something reasonably close to it, they fail to do that. The service Patchstack makes this claim about what they deliver:

Be notified instantly when there is a new security vulnerability present on any of your sites. [Read more]

29 Nov 2022

WordPress Plugin Returns to Plugin Directory Without Vulnerability Being Resolved

Currently, in our dataset of vulnerabilities in WordPress plugins, there are plugins with at least 8.16 million active installs that are still available through the WordPress Plugin Directory despite the plugins being known to contain security vulnerabilities. That is a big problem. But what causes it?

Part of the problem is that plugins with known vulnerabilities get pulled from the Plugin Directory, but get returned without the vulnerabilities actually being fixed. That is the case with the plugin previously known as WooCommerce Fraud Prevention Plugin and now renamed Fraud Prevention For Woocommerce. [Read more]

28 Nov 2022

Patchstack’s Early Alert For WordPress Plugin Vulnerability is Actually Public Info Copied From Competitor

There is often a wide gap between the claims of WordPress security providers and reality. That has often been the case with Patchstack going back to its precursors, WebARX and ThreatPress.

This week Patchstack started promoting that it is providing “early alerts and protection” for vulnerabilities to their customers: [Read more]

18 Nov 2022

Patchstack Provided Inaccurate Information on Vulnerability Claimed to Be Exploited in WordPress Plugin

Recently it was claimed that the WordPress plugin RD Station had led to a website’s database being replaced:

when are you going to fix the problem, a couple of weeks ago a site was attacked by this vulnerability, the entire database was replaced, we contacted you and this was the response [Read more]

14 Nov 2022

Search Engine Journal’s Roger Montti Spreads Patchstack’s Misinformation About the Security of WooCommerce Plugin

A frequent source of news media misinformation on vulnerabilities in WordPress plugins is someone named Roger Montti, who writes for the Search Engine Journal. Why someone that describes themselves as a “search marketer” writing for a news outlet unrelated to security is writing about those we don’t know. Whatever the reason, his stories on the subject get included in Google News and spread on social media.

Mr. Montti’s WordPress plugin vulnerability stories are often wrong in multiple different ways and in ways that indicate he is not familiar with the subject matter (not surprising considering his non-security background). We tried in the past to gently suggest to him that information in stories was not entirely accurate, but he never corrected those stories and continued to make the same mistakes. He hasn’t gotten anyone else with knowledge of security to provide input for his stories either. The Search Engine Journal also doesn’t seem interested in addressing this, as we never got a response when we contacted them about a story from him that was outright false. [Read more]

3 Nov 2022

If WPScan Isn’t Reporting a Vulnerability in a WordPress Plugin It Doesn’t Mean It Doesn’t Exist

Recently WordPress changed their policy on discussing vulnerabilities in plugins on their forum, that is leading to public discussions of the kind that we are frequently party to in private. Among the issues that we have run across are plugin developers claiming that there isn’t a vulnerability in their plugin, because a data provider isn’t mentioning it. You can see that with a public discussion involving a claim from one of those data providers, Patchstack, that there is a vulnerability in the current version of a plugin.

The response from the developer to that claim was this: [Read more]

1 Nov 2022

Wordfence Isn’t Disclosing They Are Copying (Possibly Inaccurate) Plugin Vulnerability Information From Competitor Patchstack

Less than a month ago, we noted that one provider of data on vulnerabilities in WordPress plugins, Automattic’s WPScan, was copying information from competing providers, including Wordfence, without credit. It turns out that Wordfence is doing the same with another competitor.

Yesterday a topic was started on the support forum for a plugin about a warning of a vulnerability from the Wordfence Security plugin. The users of Wordfence Security were not given helpful information on the claimed issue by Wordfence, as can be seen by this comment from one of them: [Read more]

31 Oct 2022

Authenticated Settings Change Vulnerability in WP Page Widget

Last week the WordPress plugin WP Page Widget was closed on the WordPress Plugin Directory. As that plugin is one of the 1,000 most popular plugins, we were alerted to its closure. No reason has been given for the closure. But there is a security issue in the latest version.

About a month ago a competitor of ours, Patchstack, claimed a cross-site request forgery (CSRF) vulnerability had been fixed in the latest version of the plugin. They didn’t provide basic information needed to confirm the claim, as the “details” given are: [Read more]

26 Oct 2022

Only Four WordPress Security Plugins Protected Against Exploitation of Serious Vulnerability in Plugin From WordPress

Earlier this month we spotted a serious vulnerability being introduced in to a WordPress plugin that comes directly from WordPress. It turned out that vulnerability had been introduced in to it by an employee of the company closely associated with WordPress, Automattic. The vulnerability would have allowed attackers to upload arbitrary files to the website, which is a type of vulnerability where it isn’t a question of if it would be exploited, but when. Usually a hacker would use that to upload PHP files and then from there they could do whatever else they want, as that would give them the ability to run arbitrary code on the website. That is a type of scenario WordPress security plugins could and should have a capability to protect against.

Whether WordPress security plugins actually provide protection against it is another story. While you can find lots of review of WordPress security plugins, the ones we run across don’t involve testing to see if they provide protection against real threats, making the reviews of limited value. Instead, the reviews focus on other things, meaning that developers of those plugins don’t necessarily have incentive to focus on security. When we did a test of a similar vulnerability six years ago, only three security plugins provided protection against the same scenario. [Read more]