Login

Tag Archives: StellarWP

24 Apr 2025

WordPress Plugin Developer Security Advisory: StellarWP

One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing their plugins and others get them properly secured when alerted they haven’t done that. A smaller number of plugin developers either are unable or unwilling to properly secure their plugins. With the latter group, among the issues we have seen, are developers who have introduced new serious vulnerabilities that are substantially similar to vulnerabilities that they know have been exploited in their plugins.

In situations where we become aware of developers who have shown that inability or unwillingness to properly secure their plugin, we are releasing advisories to warn customers of our service and the wider WordPress community of the risk of utilizing those developers’ plugins. In addition to checking those posts on our website for information on those advisory, we provide access to the information in several other forms. That includes through the companion plugin for our service, even when not using the service, as well as through a web browser extension and through separate data accessible from our website. [Read more]

31 Jan 2025

Patchstack Admits to Failing to Basic Due Diligence With Vulnerability Reports, Which Leads to Vulnerabilities Remaining Unfixed

Last May, we looked into a claim from Automattic’s WPScan that a vulnerability in the 400,000+ install WordPress plugin Kadence Blocks had been fixed in its implementation of WordPress blocks. They provided little information and didn’t show any evidence the issue had been resolved. There was the further problem that the changelog for the version they claimed the issue was fixed in had no mention of a security fix. We did find the proof of concept they provided stopped working in that version. But we also found that there was plenty of code related to the issue that was still not properly secured. We confirmed that at least one instance was still vulnerable.

Before warning our customers about that, we attempted to work with the developer, StellarWP, to address that. On the website of their Kadence brand, there is a page on responsible disclosure that starts this way (emphasis ours): [Read more]

12 Sep 2024

Patchstack’s CEO Indirectly Admits Their Vulnerability Disclosure Program (VDP) Program is Unethical

Earlier this year when we were trying to figure how to contact the developer of Kadence Blocks plugin, which is a part of StellarWP, to alert them they had failed to fix a vulnerability in the plugin, we found their website had a page titled, “Responsible Security Disclosure Policy for KadenceWP.” That first paragraph of the page starts out by saying, “it is a standard practice in security research to responsibly and privately disclose discovered vulnerabilities to the software vendor prior to public release. This is even more critical when we work together to protect users in an open source space such as the WordPress community.” That sounds reasonable enough. (Responsible disclosure isn’t necessarily all that responsible, but that is an issue for another day.)

From there, they offer to help get the contact information for developers whose solutions extend theirs: [Read more]

4 Sep 2024

It’s Very Common For Libraries Used in WordPress Plugins to Not Have a Security Policy on GitHub on How to Report Security Issues

Yesterday, we noted in a post that a third-party library used in a very popular WordPress plugin didn’t have any listed security advisories in its GitHub project despite the developing having acknowledge that a vulnerability had been fixed. What we also noted in passing was that there also wasn’t a security policy provided for the library, which would explain how to report other security issues in the library. You can see that in this screenshot for the library’s Security tab on GitHub:

[Read more]

27 Aug 2024

Wordfence Security and Solid Security Developers Not Supporting Standard to Avoid Security Problem They Confronted

In a recent post on the WordPress security provider Wordfence’s blog, they were claiming their “mission is to Secure the Web.” If you understand their business model this rings hollows, as what they offer is built around trying to address the after affects of not securing the web. That very blog post also disputes that, as they confronted a well-known problem with better securing plugins and simply ignored the problem. They are not alone, as the situation detailed in the blog post also directly involves another security provider, StellarWP. StellarWP is the developer of Solid Security.

The blog post discusses a situation where Wordfence bought a vulnerability in another plugin from StellarWP, GiveWP. Twice in the post, they note that they failed to successfully communicate with StellarWP about that. First, they wrote this: [Read more]

7 Aug 2023

Code That Leads to Arbitrary File Upload Vulnerability in StellarWP’s Kadence Blocks Has Been There for 5 Months

A couple of weeks ago, we noted how Wordfence had claimed that a lack of newly introduced vulnerabilities being detected in WordPress plugins was proof that the security of plugins was improving, but it could actually be that detection of newly introduced vulnerabilities isn’t very good. A serious vulnerability that recently became functional in the 300,000+ install plugin Kadence Blocks is further evidence of poor detection of newly introduced vulnerabilities.

The developer of that plugin, StellarWP, has had a terrible security track record despite developing one of the most popular security plugins. Including failing to fix a vulnerability that their security plugin was warning about and failing to implement basic security in another plugin, leading to a zero-day. That makes the issue with Kadence Blocks not all that surprising. [Read more]

26 Jul 2023

StellarWP Hasn’t Fixed Vulnerable Plugin Their Own Security Plugin Has Warned About Since Last Week

Earlier today, we looked at a mess created by the developer of a popular library in WordPress plugins, Freemius, and WordPress security provider, Patchstack. Another company playing a supporting role in what was discussed is StellarWP (which is part of Liquid Web). On their homepage, StellarWP makes this strong claim:

The most trusted plugins and people in WordPress. [Read more]