Login

Tag Archives: Patchstack Red Team

29 Nov 2021

WP Tavern’s Justin Tadlock Won’t Address Lack of Due Diligence With False Claims from Patchstack

Earlier this year we ran across claims from the web security company Patchstack that a bug bounty program they were running, which they were misleadingly market as a “red team”, was finding an extraordinary amount of vulnerabilities in WordPress plugins.

In May, for example, they claimed that there were 292 vulnerabilities found and that one of the submitter found 149 vulnerabilities and another found 101 vulnerabilities. Both the total and individual numbers sounded hard to believe based on our experience, both collecting up data on vulnerabilities in WordPress plugins and discovering vulnerabilities. [Read more]

25 Jun 2021

Patchstack Claims Medium Severity Vulnerability Existed When Discoverer States Issue Isn’t Real Threat

Yesterday we touched on one recent false report of a vulnerability the WordPress plugin WP Super Cache, but there were additional claimed vulnerabilities that were connected to that. With one of those, one of our competitors, Patchstack, claimed that not only there was vulnerability, but it had a medium severity:

[Read more]

24 Jun 2021

The WP Super Cache Vulnerability That Wasn’t a Vulnerability

In March, Search Engine Journal wrote a story about a “vulnerability” the very popular WordPress plugin WP Super Cache, which has 2+ million installs. The issue was described this way:

A flaw was disclosed today that exposes users of WP Super Cache to an authenticated remote code execution (RCE) vulnerability. [Read more]

23 Jun 2021

Patchstack and Their Red Team Don’t Understand Basics of WordPress Security

One long time issue when it comes to collecting data on vulnerabilities in WordPress plugins is that many reported vulnerabilities are not really vulnerabilities. What has recently been an increasing problem though is that these false reports are coming directly from other data providers. One of those providers is Patchstack, which has something called the Patchstack Red Team. That apparently is a bug bounty program, not really a red team (or a team at all), but whatever it is, Patchstack posted a listing to their vulnerability database the other day for the plugin WP Reset that is credited to “m0ze (Patchstack Red Team)”. Looking at the details of that didn’t look promising as to that being a real vulnerability and a quick check of the code confirmed that it wasn’t.

Authenticated Stored Cross-Site Scripting (XSS) in WP Reset

The only details provided about the claimed authenticated stored cross-site scripting (XSS) vulnerability are these two proofs of concepts: [Read more]