In September, Patchstack released its six-month report on the vulnerabilities found with WordPress and its extensions. At the time, it listed over 1,000 issues — the company has shared the updated numbers with WP Tavern. It soon followed that up with a free vulnerability-reporting plugin.
Under the banner of WebARX, the company launched the first version of its security platform in 2018. After growing beyond its original SaaS offering with services like its PlugBounty and acquisition of ThreatPress, the company rebranded to Patchstack in March this year.
In its 2020 whitepaper, the security company found 582 vulnerabilities for the year. This report covers issues from both Patchstack and third-party vendors.
However, issues found in 2021 have multiplied from the previous year. Patchstack Red Team, a community bug-hunting program that pays out monthly bounties, has reported 1,182 vulnerabilities from March through October. Bounty payouts have reached $9,150 thus far.
These are merely the problems found through Patchstack Red Team. When combined with security issues reported through other vendors that the company tracks, the vulnerability count jumps to over 2,000.
“I don’t think we need to be worried,” said Oliver Sild, Patchstack founder and CEO, when asked how much of a problem these numbers are. “I think we should be grateful and glad that we have ethical hackers and researchers who have been investing more of their time helping plugin developers to improve their code. From one angle, you could see a record year in terms of new vulnerabilities found, but what we see is a record year of security issues fixed in the WordPress ecosystem. The majority of these issues have been sitting there for years.”
Several security plugin vendors and hosting companies, including Pagely and Cloudways, are supporting the Patchstack initiative. In return, they have access to the Threat Intelligence Feed, an API to warn their customers of newfound vulnerabilities.
“Patchstack is ultra-focused on plugin vulnerabilities,” said Sild. “That’s what we focus on and thrive to do best. Our competitive advantage is the fact that we have less features, which means less bloat and no impact on the site’s performance. Meanwhile, we solve probably the #1 security issue in the WordPress ecosystem.”
He is referring to third-party plugins and themes as being the primary security issue. Over 96% of the vulnerabilities in the company’s 2020 whitepaper were from WordPress extensions.
In October, Patchstack brought in Robert Rowley, a former head of security at DreamHost and Pagely, in a new “security advocate” role. Sild said that his knowledge would bring a lot of experience to the table.
“He will help us make Patchstack better for both hosting companies and to plugin developers,” the CEO said. “At the same time, he’ll be helping us to narrow the gap between plugin devs and ethical hackers by spreading awareness and helping both sides understand each other (and challenges) better.”
In the past week, the company released its Patchstack plugin to the WordPress directory. The free version is essentially a warning system for site owners of security issues.
“You can think about the Community (Free) version as an option for anyone in the WordPress ecosystem to be alerted about new vulnerabilities found in plugins, themes, and WordPress core,” said Sild. “It comes with a central dashboard where you can add up to 99 websites for free, so you’ll have all the analytics and alerts about security issues on all your sites in a single place.”
The free version does not include hotfixes or patches. Its goal is to detect issues and provide alerts. Patchstack has upgraded features in its Pro and Business plans.
“Pro comes with automatic virtual patching for those vulnerabilities which provide active protection against the vulnerabilities that are being discovered,” said Sild. “Business plan is great for agencies who have more than 100 sites and want to have full protection against plugin vulnerabilities on all of their websites.”
Sild also teased “something very cool” for developers and ethical hackers in the pipeline to create a more secure plugin ecosystem. However, he refrained from providing any details.