There is often a wide gap between the claims of WordPress security providers and reality. That has often been the case with Patchstack going back to its precursors, WebARX and ThreatPress. This week Patchstack started promoting that it is providing Continue reading Patchstack’s Early Alert For WordPress Plugin Vulnerability is Actually Public Info Copied From Competitor
A frequent source of news media misinformation on vulnerabilities in WordPress plugins is someone named Roger Montti, who writes for the Search Engine Journal. Why someone that describes themselves as a “search marketer” writing for a news outlet unrelated to Continue reading Search Engine Journal’s Roger Montti Spreads Patchstack’s Misinformation About the Security of WooCommerce Plugin
Recently WordPress changed their policy on discussing vulnerabilities in plugins on their forum, that is leading to public discussions of the kind that we are frequently party to in private. Among the issues that we have run across are plugin Continue reading If WPScan Isn’t Reporting a Vulnerability in a WordPress Plugin It Doesn’t Mean It Doesn’t Exist
Less than a month ago, we noted that one provider of data on vulnerabilities in WordPress plugins, Automattic’s WPScan, was copying information from competing providers, including Wordfence, without credit. It turns out that Wordfence is doing the same with another Continue reading Wordfence Isn’t Disclosing They Are Copying (Possibly Inaccurate) Plugin Vulnerability Information From Competitor Patchstack
So far this week we have covered both iThemes Security Pro and Wordfence Security falsely claiming that WordPress plugins contained vulnerabilities, which we became aware of through our monitoring of the WordPress Support Forum for discussions of new vulnerabilities in Continue reading Shield Security’s ShieldPRO Also Falsely Claimed that WordPress Plugin Contains Vulnerability
A reoccurring issue we see with information on vulnerabilities in WordPress plugins is that inaccurate information is being provided to webmaster’s and then the sources of that inaccurate information are not the ones having to deal with the fallout of Continue reading iThemes Security Pro is Providing Customers Inaccurate Information on Vulnerabilities in WordPress Plugins
How WordPress security companies market themselves and what they actually deliver are often far apart. Unfortunately, WordPress and security journalists are failing to provide critical coverage that would warn people about what is going on. As an example of what Continue reading Two Weeks On, Automattic’s WPScan and Patchstack Haven’t Warned About Vulnerability Impacting 600,000+ WordPress Websites
The two most recent support forum topics for the 30,000+ install WordPress plugin Kraken.io Image Optimizer are about a claimed security vulnerability in the latest version of the plugin: [Read more] ShareTweetSharePostSharePin It!
Earlier in the week, we detailed what looks to be going on with the closure of the popular WordPress security plugin WP Cerber on WordPress’ plugin directory. What seems like it could have started the closure was a claim made Continue reading WP Cerber Competitors Automattic and Patchstack Also Spread False Claim of Vulnerability in the Plugin
One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing their plugins and others get them properly secured when Continue reading WordPress Plugin Developer Security Advisory: anadnet
On Februrary 28, we publicly warned that the WordPress plugin Mistape had what appeared to have a backdoor added in its latest release. Part of the code would contact the developer’s website and let them know if the plugin was Continue reading A Month Later, WordPress Still Hasn’t Taken Action for Websites With Backdoored Plugin They Distributed
On the podcast today we have Oliver Sild. Oliver has been working in the WordPress space for many years, and specifically with WordPress security, as one of the founders of Patchstack, formerly called WebARX. Patchstack is a product which is Continue reading #20 – Oliver Sild on the State of WordPress Security
On August 9, 2021, a security update was released for the WordPress plugin Favicon by RealFaviconGenerator, which has 200,000+ installs. The changelog for that was: Fix XSS security issue, reported by WPSpan.com. See https://wpscan.com/vulnerability/ed9d26be-cc96-4274-a05b-0b7ad9d8cfd9?fbclid=IwAR2aRMXRjbGm9ppoI9tM-OHm26Q0ax4yt0MkcP5sp0-pz9D4eVIEHQwvG1Y [Read more] ShareTweetSharePostSharePin It!
Two months ago, a review of the WordPress plugin Category Specific RSS feed Subscription was made with the title “Exploit?” with this information provided: Lot’s of bots are looking for this file used with this plugin: [Read more] ShareTweetSharePostSharePin It!
Among the many problems caused by the WordPress security industry is plugin developers having to deal with false claims that plugins are vulnerable. An example of that involved not just a WordPress security player, but two major names in the Continue reading Patchstack, cPanel, and Plesk Falsely Claimed Fixed Vulnerability in WordPress Plugin Hadn’t Been Fixed
A month ago, GoDaddy was in the news after announcing a data breach of information for customers using their managed WordPress hosting service. What was lacking in the coverage of that is that GoDaddy owns a major web security provider, Continue reading GoDaddy (Though Sucuri) Spreads Misinformation About Recently Fixed Vulnerabilities in All in One SEO