In September, Patchstack released its six-month report on the vulnerabilities found with WordPress and its extensions. At the time, it listed over 1,000 issues — the company has shared the updated numbers with WP Tavern. It soon followed that up with a free vulnerability-reporting plugin.
Under the banner of WebARX, the company launched the first version of its security platform in 2018. After growing beyond its original SaaS offering with services like its PlugBounty and acquisition of ThreatPress, the company rebranded to Patchstack in March this year.
In its 2020 whitepaper, the security company found 582 vulnerabilities for the year. This report covers issues from both Patchstack and third-party vendors.
However, issues found in 2021 have multiplied from the previous year. Patchstack Red Team, a community bug-hunting program that pays out monthly bounties, has reported 1,182 vulnerabilities from March through October. Bounty payouts have reached $9,150 thus far.
These are merely the problems found through Patchstack Red Team. When combined with security issues reported through other vendors that the company tracks, the vulnerability count jumps to over 2,000.
“I don’t think we need to be worried,” said Oliver Sild, Patchstack founder and CEO, when asked how much of a problem these numbers are. “I think we should be grateful and glad that we have ethical hackers and researchers who have been investing more of their time helping plugin developers to improve their code. From one angle, you could see a record year in terms of new vulnerabilities found, but what we see is a record year of security issues fixed in the WordPress ecosystem. The majority of these issues have been sitting there for years.”
Several security plugin vendors and hosting companies, including Pagely and Cloudways, are supporting the Patchstack initiative. In return, they have access to the Threat Intelligence Feed, an API to warn their customers of newfound vulnerabilities.
“Patchstack is ultra-focused on plugin vulnerabilities,” said Sild. “That’s what we focus on and thrive to do best. Our competitive advantage is the fact that we have less features, which means less bloat and no impact on the site’s performance. Meanwhile, we solve probably the #1 security issue in the WordPress ecosystem.”
He is referring to third-party plugins and themes as being the primary security issue. Over 96% of the vulnerabilities in the company’s 2020 whitepaper were from WordPress extensions.
In October, Patchstack brought in Robert Rowley, a former head of security at DreamHost and Pagely, in a new “security advocate” role. Sild said that his knowledge would bring a lot of experience to the table.
“He will help us make Patchstack better for both hosting companies and to plugin developers,” the CEO said. “At the same time, he’ll be helping us to narrow the gap between plugin devs and ethical hackers by spreading awareness and helping both sides understand each other (and challenges) better.”
In the past week, the company released its Patchstack plugin to the WordPress directory. The free version is essentially a warning system for site owners of security issues.
“You can think about the Community (Free) version as an option for anyone in the WordPress ecosystem to be alerted about new vulnerabilities found in plugins, themes, and WordPress core,” said Sild. “It comes with a central dashboard where you can add up to 99 websites for free, so you’ll have all the analytics and alerts about security issues on all your sites in a single place.”
The free version does not include hotfixes or patches. Its goal is to detect issues and provide alerts. Patchstack has upgraded features in its Pro and Business plans.
“Pro comes with automatic virtual patching for those vulnerabilities which provide active protection against the vulnerabilities that are being discovered,” said Sild. “Business plan is great for agencies who have more than 100 sites and want to have full protection against plugin vulnerabilities on all of their websites.”
Sild also teased “something very cool” for developers and ethical hackers in the pipeline to create a more secure plugin ecosystem. However, he refrained from providing any details.
Congrats to Oliver and the whole team 🙂
“Patchstack Red Team, a community bug-hunting program that pays out monthly bounties, has reported 1,182 vulnerabilities from March through October. Bounty payouts have reached $9,150 thus far.”
The average vulnerability report pays out $7.74 ??
In reality, the payouts are not done per vulnerability. That’s because the plugin developers themselves don’t pay for bounties (as many are completely open-source without cashflow). Instead, we have a monthly prize-pool which we pay out every single month (you can take it as a fund, which we put together with our partners) to those devs/ethical hackers who give back to the ecosystem and help identify security vulnerabilities in plugins and themes.
That’s great! I have been using their WAF for many years and I am very satisfied. They are by far the most active red team I have seen in the WordPress ecosystem.
“has reported 1,182 vulnerabilities from March through October”
Reported, but how many actually valid? Big difference. Reported are useless unless they’re valid.
“Reported” in this sense means those that Patchstack checks, validates, and reports to the public, not reported in the sense that someone submitted it as a potential issue. I’m guessing there are far more of those. All 1,182 should be valid.
have you verified that yourself? the numbers don’t to add up
In what way do the numbers not add up? Patchstack has a public database of known vulnerabilities. If the numbers do not add up or any of the issues are false, please post your findings.
Hey, all 1182 reports are valid. We validate them before we send reports out to the plugin developers. In some cases, it can take months to get vendors to release the fixed version. In rare cases, we’ve also merged some of the reports into single entries. So yes, you can’t see all the reports on the database yet but they will be appearing there once the triage is complete.
Your email address will not be published.
document.getElementById( “ak_js_1” ).setAttribute( “value”, ( new Date() ).getTime() );
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Enter your email address to subscribe to this blog and receive notifications of new posts by email.
WordPress Tavern is a website about all things WordPress. We cover news and events, write plugin and theme reviews, and talk about key issues within the WordPress ecosystem…
© All Rights Reserved. Powered by WordPress, hosted by Pressable