Login

Tag Archives: Vulnerability Disclosure Program (VDP)

12 Sep 2024

Patchstack’s CEO Indirectly Admits Their Vulnerability Disclosure Program (VDP) Program is Unethical

Earlier this year when we were trying to figure how to contact the developer of Kadence Blocks plugin, which is a part of StellarWP, to alert them they had failed to fix a vulnerability in the plugin, we found their website had a page titled, “Responsible Security Disclosure Policy for KadenceWP.” That first paragraph of the page starts out by saying, “it is a standard practice in security research to responsibly and privately disclose discovered vulnerabilities to the software vendor prior to public release. This is even more critical when we work together to protect users in an open source space such as the WordPress community.” That sounds reasonable enough. (Responsible disclosure isn’t necessarily all that responsible, but that is an issue for another day.)

From there, they offer to help get the contact information for developers whose solutions extend theirs: [Read more]

5 Dec 2023

Plugin That is Part of Patchstack’s Vulnerability Disclosure Program (VDP) Is Still Adding Vulnerable Code

In September, we wrote about how the WordPress plugin POST SMTP, which has 300,000+ installs, still contained SQL injection issues months after a public claim of a vulnerability involving that (and still does today). We also noted that the plugin was part of one of our competitors, Patchstack, Vulnerability Disclosure Program (VDP). The program doesn’t really make sense, as we noted at the time, because you are contacting a third-party security provider instead of the developer of software who can actually address vulnerabilities. It also wasn’t possible through that program to report security issues that are not vulnerabilities, despite the need for developer to address them. If a plugin developer is part of that program, it would suggest they lack an interest in properly securing their plugins, which the security of this plugin continues to point to.

While reviewing yet another attempt at a security fix in the plugin made on November 1, we noticed that new vulnerable code was being added to the plugin. That involves a failure to implement basic security and the plugin appears to contain multiple other vulnerabilities because of the other instance of the failure to implement that. [Read more]

8 Sep 2023

Plugin That is Part of Patchstack’s Vulnerability Disclosure Program (VDP) Still Contains Publicly Disclosed SQL Injection Issue

Often when we review claims about vulnerabilities in WordPress plugins, we find that the issues have only been partially addressed. That is the case with a vulnerability in the plugin POST SMTP, which has 300,000+ installs. The plugin vulnerability data provider WPScan released a rather vague report about a vulnerability in that in June. It lacks a lot of information, like what the vulnerable code is or how it was fixed. It does contain this note:

Note: The AJAX actions are also affected by SQL injections, making the issue easier to exploit by being able to choose which email to resend, for example the latest email related to a password reset [Read more]