Plugin Vulnerabilities
@pluginvulns.bsky.social
Provider of service to protect websites from being exploited due to vulnerable WordPress plugins. https://www.pluginvulnerabilities.com/
The WordPress Meta team holding up the community once again.
May 30, 2025 at 8:28 PM
The WordPress Meta team holding up the community once again.
Someone is trying to exploit a claimed vulnerability in the WordPress plugin WHMpress. We are not using the plugin, but it didn't stop them from trying multiples times despite being blocked each time by our Plugin Vulnerabilities Firewall.
May 12, 2025 at 5:12 PM
Someone is trying to exploit a claimed vulnerability in the WordPress plugin WHMpress. We are not using the plugin, but it didn't stop them from trying multiples times despite being blocked each time by our Plugin Vulnerabilities Firewall.
The story actually quotes the explanation of what was going on, but the author appears to not understand the significance of it and simply refers to it as a "note."
May 9, 2025 at 8:28 PM
The story actually quotes the explanation of what was going on, but the author appears to not understand the significance of it and simply refers to it as a "note."
On the form on their website, they told us that the latest version was not the latest version.
May 5, 2025 at 8:49 PM
On the form on their website, they told us that the latest version was not the latest version.
No surprise that Elementor's security partner is Patchstack.
(It should be telling that quote come from Elementor's Head of WordPress Relations instead of their head of security)
(It should be telling that quote come from Elementor's Head of WordPress Relations instead of their head of security)
April 16, 2025 at 8:18 PM
No surprise that Elementor's security partner is Patchstack.
(It should be telling that quote come from Elementor's Head of WordPress Relations instead of their head of security)
(It should be telling that quote come from Elementor's Head of WordPress Relations instead of their head of security)
Since 2017 WordPress plugins in the WordPress Plugin Directory "must use WordPress’ default libraries."
And yet the 10+ million install @elemntor.bsky.social somehow still includes their own copy of at least one of those.
And it is outdated! developer.wordpress.org/plugins/word...
And yet the 10+ million install @elemntor.bsky.social somehow still includes their own copy of at least one of those.
And it is outdated! developer.wordpress.org/plugins/word...
April 16, 2025 at 8:18 PM
Since 2017 WordPress plugins in the WordPress Plugin Directory "must use WordPress’ default libraries."
And yet the 10+ million install @elemntor.bsky.social somehow still includes their own copy of at least one of those.
And it is outdated! developer.wordpress.org/plugins/word...
And yet the 10+ million install @elemntor.bsky.social somehow still includes their own copy of at least one of those.
And it is outdated! developer.wordpress.org/plugins/word...
Why does the WordPress function edit_user() sanitize the user's email address using sanitize_text_field() instead of sanitize_email()? github.com/WordPress/Wo...
![if ( isset( $_POST['email'] ) ) {
$user->user_email = sanitize_text_field( wp_unslash( $_POST['email'] ) );
}](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:smm2p4rrvgxgc5ljgozezels/bafkreicp5bajdea2ehpztvzpdglmhryh6hdj6kkqiugga3qpaefegrqxxe@jpeg)
April 15, 2025 at 7:55 PM
Why does the WordPress function edit_user() sanitize the user's email address using sanitize_text_field() instead of sanitize_email()? github.com/WordPress/Wo...
Another testimonial above that, from @joost.blog, claims Patchstack is the "most exciting company" in the WordPress security space. Maybe alerting your partners that their plugins contain publicly known insecure libraries is boring?
April 7, 2025 at 7:37 PM
Another testimonial above that, from @joost.blog, claims Patchstack is the "most exciting company" in the WordPress security space. Maybe alerting your partners that their plugins contain publicly known insecure libraries is boring?
Right above the SBOM claim is a testimonial from Elementor's @miriamschwab.bsky.social claiming that Patchstack is a true partner for enhancing security. What kind of security partner doesn't warn their partner that their plugin has been known to be insecure for years?
April 7, 2025 at 7:37 PM
Right above the SBOM claim is a testimonial from Elementor's @miriamschwab.bsky.social claiming that Patchstack is a true partner for enhancing security. What kind of security partner doesn't warn their partner that their plugin has been known to be insecure for years?
Patchstack claims to be able to produce software bill of materials (SBOMs). If they can do that, why not use those to warn the developers of plugins that are part of their VDP that their plugins are known to be insecure?
April 7, 2025 at 7:37 PM
Patchstack claims to be able to produce software bill of materials (SBOMs). If they can do that, why not use those to warn the developers of plugins that are part of their VDP that their plugins are known to be insecure?
Here is a great example of what is wrong with WordPress in the comments on this post. Someone suggests better promoting canonical plugins and Matt Mullenweg lackey Samuel Wood (Otto) tells them to pipe down.
April 4, 2025 at 9:08 PM
Here is a great example of what is wrong with WordPress in the comments on this post. Someone suggests better promoting canonical plugins and Matt Mullenweg lackey Samuel Wood (Otto) tells them to pipe down.
WordPress is going to have fewer releases because there is little interest outside of Automattic in working on Gutenberg.
Perhaps Matt Mullenweg could hand the community WordPress, and he could continue on with Gutenberg.
Perhaps Matt Mullenweg could hand the community WordPress, and he could continue on with Gutenberg.
April 4, 2025 at 7:10 PM
WordPress is going to have fewer releases because there is little interest outside of Automattic in working on Gutenberg.
Perhaps Matt Mullenweg could hand the community WordPress, and he could continue on with Gutenberg.
Perhaps Matt Mullenweg could hand the community WordPress, and he could continue on with Gutenberg.
Here is some of what was also apparently going on at Path Network at the time.
When are people going to realize the security industry is largely filled with scammers?
When are people going to realize the security industry is largely filled with scammers?
March 26, 2025 at 6:49 PM
Here is some of what was also apparently going on at Path Network at the time.
When are people going to realize the security industry is largely filled with scammers?
When are people going to realize the security industry is largely filled with scammers?
The story really should have noted that Patchstack sponsors The Repository (as can be seen from this screenshot), as the lack of disclosure makes it appear even more like this is an ad for Patchstack instead of an unbiased news story.
March 20, 2025 at 6:22 PM
The story really should have noted that Patchstack sponsors The Repository (as can be seen from this screenshot), as the lack of disclosure makes it appear even more like this is an ad for Patchstack instead of an unbiased news story.
While there are breathless claims made by security provider Recorded Future in this story, the bottom line is the hackers are apparently exploiting vulnerabilities fixed in 2023!
February 14, 2025 at 8:23 PM
While there are breathless claims made by security provider Recorded Future in this story, the bottom line is the hackers are apparently exploiting vulnerabilities fixed in 2023!
Imagine thinking that CVE is a model for helping to secure anything. Especially, when you are acknowledging it has been around since 1999 (and security is in such bad shape still). harris.uchicago.edu/sites/defaul...
February 11, 2025 at 7:50 PM
Imagine thinking that CVE is a model for helping to secure anything. Especially, when you are acknowledging it has been around since 1999 (and security is in such bad shape still). harris.uchicago.edu/sites/defaul...
Their website still has a 2023 copyright date.
The homepage has three "awards" listed. They are for HackerOne programs for the US defense department. What would the relevancy be to the service they offer? The linked pages don't mention the company either.
The homepage has three "awards" listed. They are for HackerOne programs for the US defense department. What would the relevancy be to the service they offer? The linked pages don't mention the company either.
February 10, 2025 at 7:40 PM
Their website still has a 2023 copyright date.
The homepage has three "awards" listed. They are for HackerOne programs for the US defense department. What would the relevancy be to the service they offer? The linked pages don't mention the company either.
The homepage has three "awards" listed. They are for HackerOne programs for the US defense department. What would the relevancy be to the service they offer? The linked pages don't mention the company either.
This seems like a pretty clear infringement of Nintendo's IP on the homepage of Patchstack.
February 3, 2025 at 7:39 PM
This seems like a pretty clear infringement of Nintendo's IP on the homepage of Patchstack.
Add another to list of confusing set of names used to refer to parts of WordPress, the "WordPress Project".
Confusingly, Mary Hubbard referred to herself as "Director of the WordPress Project," but Matt Mullenweg referred to her as the "Executive Director of WordPress.org" the month before.
Confusingly, Mary Hubbard referred to herself as "Director of the WordPress Project," but Matt Mullenweg referred to her as the "Executive Director of WordPress.org" the month before.
January 31, 2025 at 5:38 PM
Add another to list of confusing set of names used to refer to parts of WordPress, the "WordPress Project".
Confusingly, Mary Hubbard referred to herself as "Director of the WordPress Project," but Matt Mullenweg referred to her as the "Executive Director of WordPress.org" the month before.
Confusingly, Mary Hubbard referred to herself as "Director of the WordPress Project," but Matt Mullenweg referred to her as the "Executive Director of WordPress.org" the month before.
The report doesn't exactly dispute the notion that security companies are possibly conflating unrelated persons and entities into larger threat groups that don't really exist or don't exist to the extent they claim.
Someone in Iran looking for the information below isn't necessarily a bad actor.
Someone in Iran looking for the information below isn't necessarily a bad actor.
January 31, 2025 at 5:05 PM
The report doesn't exactly dispute the notion that security companies are possibly conflating unrelated persons and entities into larger threat groups that don't really exist or don't exist to the extent they claim.
Someone in Iran looking for the information below isn't necessarily a bad actor.
Someone in Iran looking for the information below isn't necessarily a bad actor.
Did Google's PR team vet this? This reference to poor quality results from Gemini would suggest not.
January 31, 2025 at 5:05 PM
Did Google's PR team vet this? This reference to poor quality results from Gemini would suggest not.
Part of the Plugin Security Scorecard results for a plugin from the Security Reviewer on the team running the WordPress Plugin Directory. Maybe someone else should be handling that.
Also, yet another example of Awesome Motive's complete lack of concern for security.
Also, yet another example of Awesome Motive's complete lack of concern for security.
January 30, 2025 at 11:01 PM
Part of the Plugin Security Scorecard results for a plugin from the Security Reviewer on the team running the WordPress Plugin Directory. Maybe someone else should be handling that.
Also, yet another example of Awesome Motive's complete lack of concern for security.
Also, yet another example of Awesome Motive's complete lack of concern for security.
That post doesn't make sense. This quote stands out. CVE allows just about anyone to be a CNA, allowing them to directly submit info to the database, and they don't care if the information they submit is outright false. If you complain about that to CVE, they claim they can't do anything about it.
January 29, 2025 at 7:04 PM
That post doesn't make sense. This quote stands out. CVE allows just about anyone to be a CNA, allowing them to directly submit info to the database, and they don't care if the information they submit is outright false. If you complain about that to CVE, they claim they can't do anything about it.
Patchstack featuring a testimonial from Elementor about enhancing security posture is so telling. 1/3
January 27, 2025 at 7:06 PM
Patchstack featuring a testimonial from Elementor about enhancing security posture is so telling. 1/3
Patchstack is promoting plugin developers having vulnerability reports directing away from themselves to Patchstack as a way to make it more secure. It won’t.
Even worse. If you read the fine print, they admit they don’t even do basic due diligence with the reports they intercept.
Even worse. If you read the fine print, they admit they don’t even do basic due diligence with the reports they intercept.
January 27, 2025 at 5:32 PM
Patchstack is promoting plugin developers having vulnerability reports directing away from themselves to Patchstack as a way to make it more secure. It won’t.
Even worse. If you read the fine print, they admit they don’t even do basic due diligence with the reports they intercept.
Even worse. If you read the fine print, they admit they don’t even do basic due diligence with the reports they intercept.