pluginvulns.bsky.social
Provider of service to protect websites from being exploited due to vulnerable WordPress plugins. https://www.pluginvulnerabilities.com/
903 posts
60 followers
25 following
Regular Contributor
Active Commenter
comment in response to
post
Or how about this, where can people see an analysis from 10up showing the vetting you have done to ensure the accuracy of those sources?
comment in response to
post
We provided two of many examples of their information not being accurate.
Our information is accurate and we are a reliable source, but presumably 10up has someone on the staff that understands the basics of plugins security, including capability and nonce checks, who can vet our information.
comment in response to
post
For the latter, here is a recent example with a plugin that a hacker appeared to be targeting. Where they all told people that a vulnerability had been fixed in a plugin, when it hadn't. And it was more serious than described.
comment in response to
post
Sure. What are you looking for clarification on? That the tool is not warning that vulnerability claims from those providers are known to be highly inaccurate? Or that vulnerability claims from them are known to be highly inaccurate?
comment in response to
post
Is this stuff coming from Matt Mullenweg or are other control freaks getting free rein to do what they want now with WordPress now?
comment in response to
post
There is no mention of any public discussion about this policy and they cite another recent policy, which also appeared to have no public discussion. That other policy being the display of the plugin author.
comment in response to
post
Here is their page about the anonymous moderation.
comment in response to
post
If the story is accurate, what is described would have been stopped by the people running the systems being hacked applying security updates released in October 2023.
Where is the high-profile attention for that or the security industries disinterest in addressing that problem?
comment in response to
post
Notably, the story doesn't focus on the usage of outdated software or the security industries' lack of focus on addressing threats instead of making money off of them continuing to be unaddressed.
comment in response to
post
Recorded Future's business is based on around selling threat intelligence, which isn't what is needed here.
What is needed to make sure software is being released in secured form and until that happens, security updates get applied.
comment in response to
post
That would be the 10up that has the WP-CLI Vulnerability Scanner, which doesn't warn people that the sources for that, WPScan, Patchstack and Wordfence Intelligence, are not reliable to level that there is widespread exploitation of unfixed vulnerabilities they claimed were fixed.
comment in response to
post
That claim was included in the bio of one of three team reps. The other two bios did not make that sort of inaccurate claim about a company. One just says a company is "well-known."
@10up.bsky.social's @joemcgill.bsky.social is credited with writing that post.
comment in response to
post
Developers at least portray it as if Patchstack is making sure their plugins are secure, even when they are clearly not.
comment in response to
post
And they don't provide the information needed for others to do that vetting, making it harder for other to catch that vulnerabilities haven't been fixed properly (or sometimes at all).
comment in response to
post
Patchstack openly admit that they don't do basic due diligence with vulnerability reports. So often, at best, vulnerabilities are only partially fixed.
They are also trying to get reports redirected away from developers to themselves. So you have an unreliable middle-man in the process as well.
comment in response to
post
The developer's only listed contact method is WhatsApp. Is that something that should be the case when they are offering services with prices up to £99.99 a month?
comment in response to
post
Do you think AI suggested they use a known vulnerable version of the library?
comment in response to
post
No surprise the company employed hackers. DDoS mitigation generally screams we are not legitimate security provider.
comment in response to
post
Their website still has a 2023 copyright date.
The homepage has three "awards" listed. They are for HackerOne programs for the US defense department. What would the relevancy be to the service they offer? The linked pages don't mention the company either.
comment in response to
post
By security company, it turns out it is a DDoS mitigation company. So that answer the question.
comment in response to
post
Why is CVE allowing an entry like the one for that vulnerability? You can't possibly vet the claim based on the information provided. Which is important since it is wrong and the underlying issue hasn't been fully addressed.
What is supposed to be the benefit of that?
comment in response to
post
More relevant from a security perspective, Patchstack isn't doing "everything in our power to make sure none of those bad guys will tear down your site."
We wrote about one example we happened across where they failed to properly vet a vuln or even provide the info for someone else to do that.
comment in response to
post
Was it so busy you couldn't be bothered to fix the widespread vulnerability in NitroPack, which you have known about at least since October?