Best WordPress Hosting
 

Tag Archives: Patchstack

Patchstack’s “Early Warning” About Vulnerability Isn’t Early and Fails to Warn It Isn’t Fixed

Posted on by

As we have noted in the past, the WordPress security provider Patchstack is falsely claiming to know about hundreds of zero-day vulnerabilities and claiming to be providing “early warnings” to their customers on vulnerabilities that were already public before they Continue reading Patchstack’s “Early Warning” About Vulnerability Isn’t Early and Fails to Warn It Isn’t Fixed

Automattic’s WPScan, Wordfence, and Patchstack Don’t Appear to Have a Basic Grasp of What Vulnerabilities Are

Posted on by

Recently Automattic’s WPScan claimed that there had been what is normally a fairly serious type of vulnerability in a WordPress plugin. That being, as they put it, an “unauthenticated stored XSS” vulnerability or, as we would put it, a persistent Continue reading Automattic’s WPScan, Wordfence, and Patchstack Don’t Appear to Have a Basic Grasp of What Vulnerabilities Are

Not Really a WordPress Plugin Vulnerability, Week of April 28

Posted on by

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of April 28

iThemes (SolidWP) and Patchstack Requiring Their Customers and Plugin Developers to Fix Their Inaccurate Data

Posted on by

Recently, iThemes (which is being rebranded as SolidWP) and their partner, Patchstack, have been incorrectly labeling that a 100,000+ install WordPress plugin, Download Manager, contained an unfixed vulnerability. The problem stems in part to confusion with a claim that vulnerability Continue reading iThemes (SolidWP) and Patchstack Requiring Their Customers and Plugin Developers to Fix Their Inaccurate Data

Hacker Targeting Unfixed WordPress Plugin Vulnerability That CVE and Others Claim Has Been Fixed

Posted on by

For some time, we have been seeing a hacker probing for the usage of various WordPress plugins with known vulnerabilities across numerous websites. Earlier this month, we noted that the hacker was targeting a plugin that had an unfixed known Continue reading Hacker Targeting Unfixed WordPress Plugin Vulnerability That CVE and Others Claim Has Been Fixed

Wordfence’s Idea of Responsible Disclosure Involves Leaving Very Vulnerable Plugins in WordPress Plugin Directory

Posted on by

A week ago, we wrote about how a WordPress plugin being targeted by a hacker had remained in the WordPress Plugin Directory despite having an unfixed vulnerability that hackers would target. We had noted that the WordPress security provider Wordfence Continue reading Wordfence’s Idea of Responsible Disclosure Involves Leaving Very Vulnerable Plugins in WordPress Plugin Directory

WordPress Plugin With Unfixed Vulnerability Targeted by Hacker Remains in Plugin Directory

Posted on by

For some time, we have been seeing a hacker probing for the usage of various WordPress plugins with known vulnerabilities across numerous websites. Many of those vulnerabilities have been SQL injection vulnerabilities. Over the weekend we saw them looking for Continue reading WordPress Plugin With Unfixed Vulnerability Targeted by Hacker Remains in Plugin Directory

Patchstack is Falsely Claiming a “High Severity” Vulnerability Exists in a WP Plugin Based on Inaccurately Copied Info From Wordfence

Posted on by

Providing accurate information on vulnerabilities in WordPress plugins can require a lot of work, but doing the work avoids causing false alarms for users of plugins and for the developers of them. Unfortunately, security companies can cut corners, claim to Continue reading Patchstack is Falsely Claiming a “High Severity” Vulnerability Exists in a WP Plugin Based on Inaccurately Copied Info From Wordfence

Only 25% of WordPress Security Plugins Protected Against Widely Exploited Plugin Vulnerability

Posted on by

In late January, an unfixed vulnerability in a WordPress plugin with 40,000+ installs started to receive widespread exploitation attempts and many websites were hacked. The hacking was in part caused by multiple WordPress security providers, including Wordfence, WPScan, and Patchstack, Continue reading Only 25% of WordPress Security Plugins Protected Against Widely Exploited Plugin Vulnerability

Here Are the 4 WordPress Security Plugins That Protected Against a Vulnerability Wordfence Failed to Protect Against Despite Having Discovered It

Posted on by

Last week, Wordfence disclosed the details of an authenticated persistent cross-site scripting (XSS) vulnerability they had found in a popular WordPress plugin with 3+ million installs (as well as something else that wasn’t really a vulnerability). There were some things Continue reading Here Are the 4 WordPress Security Plugins That Protected Against a Vulnerability Wordfence Failed to Protect Against Despite Having Discovered It

You Need to Make Sure Proof of Concepts for Vulnerabilities in WordPress Plugins You Use Have Been Tested

Posted on by

Are you relying on a security provider to warn about vulnerabilities in WordPress plugins you use? Are you not testing out the proof of concepts for those vulnerabilities because the security provider claims they are verifying things for you or Continue reading You Need to Make Sure Proof of Concepts for Vulnerabilities in WordPress Plugins You Use Have Been Tested

Hacker Looking for Usage of 10Web WordPress Plugin That Contains Type of Vulnerability That Hackers Target

Posted on by

In June 2021, the WordPress security provider Patchstack announced that they were partnering with WordPress plugin provider and web host 10Web. Patchtack claimed that they and 10Web were working together to “help strengthen the WordPress ecosystem.” It was a curious Continue reading Hacker Looking for Usage of 10Web WordPress Plugin That Contains Type of Vulnerability That Hackers Target

WordPress Security Plugins Don’t Prevent Disclosure of One-Time Password Through Exploited Plugin Vulnerability

Posted on by

A month ago, we saw a hacker looking to exploit a vulnerability that had recently been fixed in the WordPress plugin User Verification. That vulnerability discovered by Lana Codes involved the plugin’s functionality to email a one-time password for logging Continue reading WordPress Security Plugins Don’t Prevent Disclosure of One-Time Password Through Exploited Plugin Vulnerability

Providers of WordPress Plugin Vulnerability Data Not Actually Verifying if Vulnerabilities Are Fixed

Posted on by

Recently, three ostensibly competing data providers for information on vulnerabilities in WordPress plugins all claimed that a vulnerability had been fixed in a certain version of the plugin Super Socializer. Here was WPScan, the original source for the claim: [Read Continue reading Providers of WordPress Plugin Vulnerability Data Not Actually Verifying if Vulnerabilities Are Fixed

Two Weeks Later WordPress Hasn’t Taken Action With WordPress Plugin That Loaded Malicious JavaScript

Posted on by

Anyone who has spent much time trying to use WordPress’ support forum and the connected plugin review system knows that the moderators of that often get in the way and causing unnecessary problems (as well other troubling behavior, including deleting Continue reading Two Weeks Later WordPress Hasn’t Taken Action With WordPress Plugin That Loaded Malicious JavaScript

Patchstack’s Unlisted Zero-Days Are Actually Vulnerabilities Already Covered by Competitors

Posted on by

Yesterday, we published a post about Patchstack’s false claim to know about hundreds of undisclosed zero-days, which, if true, would be a very serious issue. Instead, the “zero-days” are “Vulnerabilities reported to us which we are still processing and will Continue reading Patchstack’s Unlisted Zero-Days Are Actually Vulnerabilities Already Covered by Competitors

Patchstack Doesn’t Know About Hundreds of Undisclosed Zero-Days

Posted on by

Recently, we noted that the WordPress security provider Patchstack was marketing their service with a misleading claim to be providing “early alerts and protection”, where in one instance, they were only aware of a vulnerability two weeks after it was Continue reading Patchstack Doesn’t Know About Hundreds of Undisclosed Zero-Days

Patchstack Claimed to Provide “Early Alert and Protection” From “Vulnerabilities” Where Attacker Would Already Have Control of Website

Posted on by

Last week, we noted that the WordPress security provider Patchstack’s new “early alerts and protection” from plugin vulnerabilities involved them being weeks behind offering protection that keeping plugins updated would have provided and failing to offer that for a vulnerability Continue reading Patchstack Claimed to Provide “Early Alert and Protection” From “Vulnerabilities” Where Attacker Would Already Have Control of Website

Patchstack Didn’t Provide Early Alert and Protection For Vulnerability Likely Being Targeted by Hacker

Posted on by

WordPress security providers often make extraordinary claims about their services, which not only couldn’t be true, but even to the extent they could deliver something reasonably close to it, they fail to do that. The service Patchstack makes this claim Continue reading Patchstack Didn’t Provide Early Alert and Protection For Vulnerability Likely Being Targeted by Hacker

WordPress Plugin Returns to Plugin Directory Without Vulnerability Being Resolved

Posted on by

Currently, in our dataset of vulnerabilities in WordPress plugins, there are plugins with at least 8.16 million active installs that are still available through the WordPress Plugin Directory despite the plugins being known to contain security vulnerabilities. That is a Continue reading WordPress Plugin Returns to Plugin Directory Without Vulnerability Being Resolved