Darius Sveikauskas (Patchstack)
Forum Replies Created
-
@wpsmort still vulnerable. As you can see latest version is marked as vulnerable and I got confirmation a minute ago.
It is marked as fixed in version 2.6.7
Forum: Plugins
In reply to: [Pinpoint Booking System - Version 2] Security Issue@mariuscristian here’s a copy of reply to the email I’ve sent to the vendor:
Support Pinpoint.world support{}pinpoint{}world
Aug 4, 2024, 8:59 PM
to meHi Darius,
Thanks for letting us know.
Best regards,
Ovidiu
PINPOINT.WORLD Support TeamAnd we had long conversation about this and another vulnerability. So I’m not sure how you can be unaware.
Forum: Plugins
In reply to: [WP-Members Membership Plugin] Reported VulnerabilityWe were not seeking support – we reported a vulnerability. We always disclose such findings directly to the author, not to any third party offering support or related services. It is up to the author to share this information with others if needed. We avoid involving third parties to minimize the risk of spreading sensitive information to unauthorized persons.
Forum: Plugins
In reply to: [WP-Members Membership Plugin] Reported Vulnerability@bvm, the information is correct. It is low severity, and the attacker needs to have contributor+ authentication.
The vendor has been ignoring the report since 2025-05-26 (15:01:46 EEST), when it was successfully submitted via the contact form on the vendor’s website.Forum: Plugins
In reply to: [TI WooCommerce Wishlist] Security vulnerabilityI always believed moderation was about overseeing and guiding behavior, content, or activities to ensure they align with certain standards or rules – but it seems I was wrong, my bad 🙂
I didn’t expect to be criticized by a moderator on a support forum simply for explaining the situation and sharing the first source that offers more in-depth information about a vulnerability.
Anyway, if a moderator tells me to stop, I won’t argue. I won’t post anything further on the support. If at some point you decide it would be appropriate for me to contribute again, I’ll wait for an email from the mailbox you mentioned 🙂
Have a nice day 😉Forum: Plugins
In reply to: [TI WooCommerce Wishlist] Security vulnerability@jdembowski I really don’t have time for discussions like this. I mean, I could spend this time in a much more productive way – bringing greater value to the community. Just for your information: Patchstack has identified over 11,000 vulnerabilities in the WordPress ecosystem, and it cost those affected vendors nothing – $0. However, we spend $250,000+ just on bounties to reach that result and motivate independent researchers. So next time, before questioning our business model, please check the facts and consider the value we’ve delivered to the community.
The only thing we’ve asked from vendors is to respond and patch the vulnerabilities. If you think that’s too much to ask, I’m sorry, but I can’t help you with that.
P.S. fun question – have you ever asked the plugins team how much data we’ve provided over the last four years? Just curious 🙂
Forum: Plugins
In reply to: [TI WooCommerce Wishlist] Security vulnerability@jdembowski , at this time, we have discontinued sharing vulnerability details with the plugins and themes teams. This decision was made due to previous instances where the plugins team made overly intrusive requests for sensitive information without clearly disclosing who was requesting the data or for what purpose, despite claiming to act on behalf of the plugins team. There is zero transparency about both of those teams and how the data is used, stored, and who has access to it.
It’s essential to clarify that vendors are ultimately responsible for their plugins and themes, and the plugin/theme teams should be considered external parties, not legal stakeholders. Additionally, there is no non-disclosure agreement (NDA) or formal confidentiality agreement between us and these teams.
From a compliance and legal standpoint, particularly under the EU Cyber Resilience Act (CRA), we must consider the risk of significant penalties. Are those teams prepared to accept legal liability for the products in question, including any potential fines for non-compliance with relevant regulations?
We recently began asking the plugins team to reach out to vendors, requesting that they add or update their security contact information in plugin metadata to enable responsible vulnerability disclosure. Instead of facilitating this, we are receiving responses requesting complete vulnerability reports, which is not the intended purpose of our request.
We cannot responsibly share sensitive vulnerability information under these conditions.Forum: Plugins
In reply to: [TI WooCommerce Wishlist] Security vulnerability@templateinvaders let’s see how the timeline looks:
- First report – 2025 March 26 (no answer)
- First warning – 2025 May 1 (no answer)
- Second warning – 2025 May 15 (no answer)
- Public disclosure – 2025 May 16 (silence)
- CVE published – 2025 May 19 (silence)
- Support message – 2025 May 26 (silence)
- First reaction – 2025 May 27 (62 days later…)
It took you 62 days to respond in any meaningful way to the vulnerability. The real concern isn’t just the issue itself, but the fact that it took so long to react – that’s what’s truly alarming. Referencing “honest communication” feels odd when there has been virtually no communication at all. This is exactly why triage processes exist and why full vendor engagement from the first day is critical. And yet, for some reason, you chose to wait 62 days.
Forum: Plugins
In reply to: [TI WooCommerce Wishlist] Security vulnerabilityOriginally it was discovered by Patchstack, and here’s more information – https://patchstack.com/articles/unpatched-critical-vulnerability-in-ti-woocommerce-wishlist-plugin/, the biggest problem is that vendor was not responding to multiple messages and warnings. I hope they will respond now.
Forum: Plugins
In reply to: [Simple Sitemap - Create a Responsive HTML Sitemap] v3.6 has a vulnerabilityHi @dgwyer,
Just to clarify:
- The link shared by @dooza isn’t a report – it’s simply a database entry referencing the disclosed vulnerability.
- We’ve attempted to send you the full report five times since October 2, 2024. That’s over six months with multiple contact attempts:
- 2024-10-02 – via your website contact form
- 2025-04-28 – via your website contact form (again)
- 2025-04-30 – via email
- 2025-04-30 – via official WP.org Slack
- 2025-05-01 – via the WordPress plugins review team
Quick update from my side: I’ve tried reaching out to the vendor through their website form twice, once via email, and once on the official WP Slack.
Also, just to clarify – we haven’t reviewed the premium version, so we can’t make any claims about it or say whether it shares the same issue as the free version.
If anyone manages to get in touch with the author, please let us know in this thread. Thanks!
The vendor was notified on 2024-10-02 at 10:02:37 EEST and since then there were no replies to my messages. So to make it clear, vendor got information long time ago, but ignored the report and made 0 attempts to fix it.
Thank you, Jasmine. Please notify us via email once the patch has been released. Our triage team will promptly validate it, and we’ll update the vulnerability database entry accordingly. AYS Pro has previously demonstrated a professional approach to handling vulnerability reports, and we hope this standard will continue to be maintained at a high level despite this incident.