iThemes (SolidWP) and Patchstack Requiring Their Customers and Plugin Developers to Fix Their Inaccurate Data
Recently, iThemes (which is being rebranded as SolidWP) and their partner, Patchstack, have been incorrectly labeling that a 100,000+ install WordPress plugin, Download Manager, contained an unfixed vulnerability. The problem stems in part to confusion with a claim that vulnerability had been in Download Manager Pro and also from Patchstack’s data not properly listing which versions of a plugin are vulnerable (this isn’t the first time recently there has been this combinations of problems). Incredibly, once this was brought to iThemes attention by one of their customers, their response was not for them to fix this, but to tell the customer that the plugin developer had to get in touch with Patchstack to address this:
Since the one you’re using is the free version (3.2.70), but it is still being flagged as vulnerable by the Site Scanner, I recommend reaching out to the plugin developers for the possibility of updating the reflected information on Patchstack.
So iThemes data is incorrect because Patchstack’s data is incorrect, but the iTheme’s customer and the developer should have to address this. Even though the developer has no connection with Patchstack, while iThemes does and iThemes is providing incorrect information, not the developer.
That handling of things runs against how iThemes’s Dan Knauss pitched Patchstack when announcing their partnership:
Patchstack is a leader in the WordPress security space with an innovative platform and team dedicated to openness and collaboration. Patchstack’s progressive initiatives include support for many security researchers whose work makes WordPress and open-source software safer. Patchstack’s commitment to WordPress is reflected in its impact on the well-being of both the software platform and its community.
Patchstack hardly seems to be committed to the well-being of the WordPress community when they are causing someone to get multiple incorrect warnings a day:
In my case the warning comes from iThemes Security scan, it’s annoying since it sends me an email about this twice a day.
That isn’t the only element of their partnership, that this situation shows isn’t true. They also touted that it leads to early warnings:
Patchstack Security Advocate Robert Rowley says the Threat Feed is a way for site owners to “get ahead of hackers.” Patchstack’s service will provide iThemes Security with a 48-hour advance warning and information about new WordPress core, theme, and plugin vulnerabilities.
Rowley described Patchstack as a company that’s about “empowering site owners” to address vulnerabilities “based on security intelligence.” Sending warnings as soon as possible “when sites are running insecure components” is how he sees Patchstack helping iThemes users. Web developers and agencies that need to “easily secure WordPress sites from plugin vulnerabilities” can best make use of timely security alerts, according to Rowley.
In reality, here, Patchstack warned about the claimed vulnerability three days after it was disclosed by WPScan, as WPScan warned about this on April 10:
While Patchstack warned about it on April 13:
Notably, here, iThemes used to be partnered with WPScan, so the new partnership led to a later warning than there would have been before.
Incredibly, Patchstack claimed to have provided an early warning for this:
Patchstack has long been known for being dishonest, as can be seen with things like that, and iThemes partnered with them anyway.
ManageWP Too
Patchstack’s inaccurate data is also being used by ManageWP:
But those of us in the free version receive this warning. I for example receive it as a vulnerability in ManageWP and my customers see a vulnerability warning that I am unable to fix, because there is no update to fix it.
Based on what we quoted iThemes saying about Patchstack versus reality, it shouldn’t be all that surprising that ManageWP is also promoting Patchstack in a highly misleading way as well:
We’ve partnered with the fantastic team behind the Patchstack Vulnerability Database to bring you real time information about what plugins are vulnerable so you can act accordingly.