WordPress is peddling falsehoods coming from Patchstack. This post says: "Patchstack, a cyber security company helping companies and software developers to identify & patch vulnerabilities in open-source code." Patchstack actually makes it harder to get vulnerabilities fixed in WP plugins! - ThreadSky

About ThreadSky

pluginvulns.bsky.social • 26 days ago

WordPress is peddling falsehoods coming from Patchstack. This post says:

"Patchstack, a cyber security company helping companies and software developers to identify & patch vulnerabilities in open-source code."

Patchstack actually makes it harder to get vulnerabilities fixed in WP plugins!

Reposted from Latest WordPress News

Introducing Core Team Reps for 2025

Comments

pluginvulns.bsky.social•26 days ago

Patchstack openly admit that they don't do basic due diligence with vulnerability reports. So often, at best, vulnerabilities are only partially fixed.

They are also trying to get reports redirected away from developers to themselves. So you have an unreliable middle-man in the process as well.

pluginvulns.bsky.social•26 days ago

And they don't provide the information needed for others to do that vetting, making it harder for other to catch that vulnerabilities haven't been fixed properly (or sometimes at all).

pluginvulns.bsky.social•26 days ago

Developers at least portray it as if Patchstack is making sure their plugins are secure, even when they are clearly not.

pluginvulns.bsky.social•26 days ago

That claim was included in the bio of one of three team reps. The other two bios did not make that sort of inaccurate claim about a company. One just says a company is "well-known."

@10up.bsky.social's @joemcgill.bsky.social is credited with writing that post.

pluginvulns.bsky.social•26 days ago

That would be the 10up that has the WP-CLI Vulnerability Scanner, which doesn't warn people that the sources for that, WPScan, Patchstack and Wordfence Intelligence, are not reliable to level that there is widespread exploitation of unfixed vulnerabilities they claimed were fixed.

jeffpaul.com•11 days ago

👋 curious if you can help clarify the concerns with the Vuln Scanner tool and how it surfaces vulnerabilities as reported by those three providers?

Posting Rules

Be respectful to others
No spam or self-promotion
Stay on topic
Follow Bluesky's terms of service

Comments

Posting Rules

Reply