ダッシュボードからプラグインページを開いたときだけ脆弱性情報サイト「Patchstack（patchstack.com）」を参照し、導入済みプラグインが安全か脆弱かアラートで視覚化する軽量なプラグインです。

Haha, that's perfect!

Patchstack mVDP: Managed Vulnerability Disclosure for WordPress ift.tt/seiPTah #aiautomation #webdevelopment #ai #automation #growth #unifynode #marketing #marketingautomation #marketingai #aimarketing

Excited to share Patchstack mVDP is here for WordPress plugin developers! A game-changing managed vulnerability disclosure platform that blends AI code scanning with human security review, enabling faster fixes and stronger security. Learn about the two … ift.tt/seiPTah

The award for best #WCEU booth goes to @Patchstack this year.

Dia 54/229 Primeiro report validado na Patchstack! Acabei de receber a confirmação de um Cross Site Scripting (XSS) em plugin WordPress. O report foi aceito e já está em processamento pra entrar em contato com o vendor. Ainda tá como “Pending public disclosure”, mas é a primeira vitória oficial #bolhasec Continuo na luta!

Feels like an accurate portrayal of many WP businesses

Indisputable

💯, that was such a good concept! My only criticism is that they should have put “Patchstack” on or behind the flames, as you could easily take a photo from an angle that excluded their branding and they deserve the credit!

Here's the blog post about this from Patchstack: patchstack.com/articles/the-…

Suffice to say, Patchstack appears to be the best in class security layer for managed WP hosts. webhosting.today/2026/06/08/…

Patchstack Now Underpins Most Major Managed WordPress Hosts. GoDaddy Joined the Stack. webhosting.today/2026/06/08/… #webhosting

Old WordPress safety tips do not work like they used to. Bad guys now move fast. Most attacks start about 7 days before a fix is ready. And 91% of new weak spots are in plugins. Old tools cannot see deep enough. Site Security Pro, powered by Patchstack, can. How do you keep your site safe? Read the full guide 👇 xcloud.host/traditional-secu… #xCloud #WordPress #Patchstack

Sale of a 0day/Nday exploit package for WordPress plugins For informational purposes only. A package of seven independent vulnerabilities in WordPress plugins with an installation base of 6 to 30 thousand active installations each is on sale. According to the author, all exploits work on current versions. WordPress -> (wordpress.org/) underpins about 43% of all websites worldwide (according to W3Techs data -> (w3techs.com/technologies/det…)), and plugins traditionally remain the main source of vulnerabilities. According to Patchstack -> (patchstack.com/whitepaper/st…), third-party plugins and themes account for the vast majority of CVEs for WP: in 2025, 11,334 new vulnerabilities were reported, of which 91% were in plugins, 9% in themes, and 6 in the WordPress core. Positive Technologies in 2024 -> (global.ptsecurity.com/analyt…) included vulnerabilities in WordPress plugins in their list of trends. 1. Discount oracle free membership redemption in the Paid Member Subscriptions plugin Type of vulnerability: a chain of Information Disclosure (oracle) and bypassing the subscription business logic Number of installations: 10,000 The seller claims that a combination of two vulnerabilities allows bypassing the verification and obtaining a paid membership for free in the paid subscriptions plugin, presumably Paid Member Subscriptions. 2. reCAPTCHA v3 bypass in the Paid Member Subscriptions plugin, Type of vulnerability: bypassing the reCAPTCHA v3 bot protection Number of installations: 10,000 According to the description, the exploit completely bypasses the built-in bot protection without solving the CAPTCHA. It allows, for example, to conduct a mass brute-force attack on registrations and enumerate promo codes. 3. 2FA bypass Type of vulnerability: Authentication Bypass via an unvalidated provider According to the seller, the exploit completely bypasses the second factor. 4. Unauth full-user PII dump Type of vulnerability: Unauthenticated Information Disclosure Number of installations: 20,000 With a single unauthenticated GET request, the entire user table of the site is downloaded: email, phones, full name, logins (including administrators). 5. Blind SSRF via oEmbed Type of vulnerability: Blind Server-Side Request Forgery The exploit forces the server to send an HTTP request to an arbitrary URL, including internal and cloud-metadata endpoints (AWS IMDS, GCP metadata). 6. Unauth group-member enumeration Type of vulnerability: Unauthenticated User Enumeration Number of installations: 6,000 Without authorization, the composition of groups, sequential user IDs, logins, and the entire site database, including the administrator, are enumerated. 7. register_ajax ACL inversion Type of vulnerability: inversion of access control logic A single reverse call to the function completely disables the "logged-in only vs logged-out only" distinction in the plugin. It turns all protected endpoints into public ones. #dbugs_darkweb

Glorious!

Manage WordPress with AI. birtikta.com

nice booth :)

🔥 Hiring 🔥 🚀 Company: PatchStack 🪛 Position: Account Executive 🌎 Location: Remote – EMEA 💸Salary: €60,000–€72,000 base commission Apply: wpremotework.com/remote-jobs…