Patchstack

Patchstack (anciennement WebARX) test

WordPress & CMS Vulnerability Management · Category 10. CMS Security · Tier 2

CL Listed — Visible
Methodology v3.5 · OLIR Schema
Avril 2026

Evaluation Tier: Visible (Listed) → Verified (CAE) → Enterprise (EEE) Layer 1-2 only · Documentary assessment · All capabilities vendor-claimed

⚡ Executive Summary 30 seconds

What it is

WordPress and CMS-focused vulnerability management platform specializing in plugin/theme vulnerability detection and virtual patching. Patchstack maintains the largest open-source WordPress vulnerability database and provides automated virtual patches to protect sites before official fixes are released.

Best for

WordPress plugin vulnerability management (OWASP CMS Security), PCI DSS Req. 6.3 (vulnerability identification), GDPR Art. 32 (security of processing for WordPress-based data collection sites). Ideal for agencies, hosting providers, and enterprises managing large WordPress portfolios.

What it does NOT do

No general-purpose DAST or SAST, no network security, no endpoint protection, no IAM, no email security, no SIEM capabilities. Not a full WAF — virtual patching is CMS-specific, not a replacement for network-level WAF.

CL Recommendation

Patchstack is the leading WordPress-specific vulnerability management platform. Largest open-source WP vulnerability database. Critical for organizations running WordPress at scale (50+ sites). Combine with WAF (Cat. 6), backup solution, and SIEM (Cat. 12) for complete WordPress security posture. Bug bounty program (Patchstack Alliance) ensures early vulnerability discovery.

⚖ Regulatory Fit Per regulation verdict

PCI DSS v4.0

~10% of requirements

● Moderate — Req. 6.3 (vulnerability identification for CMS)

DORA

~5% of obligations

△ Supporting only — Art. 8(4) limited to CMS scope

NIS2

~7% of Art. 21

△ Supporting only — Art. 21(2)(e) CMS supply chain security

GDPR

~6% of articles

● Moderate — Art. 32 (security of processing for WP data sites)

HIPAA

~3% of provisions

△ Supporting only — §164.312 limited CMS patching scope

OWASP

~60% of CMS-relevant categories

✔ Strong — OWASP WordPress Security recommendations coverage

▼ Show detailed regulatory mapping (OLIR format)

PCI DSS v4.0 (PROPRIETARY)

Focal	Obligation	OLIR Rel.	Hub Ref	Rationale
Req. 6.3.1	Identify security vulnerabilities	Contributing	RA-5 / ID.RA-01	Semantic
Req. 6.3.3	Install applicable security patches	Direct	SI-2 / PR.PS-02	Functional
Req. 6.5.5	Address common coding vulnerabilities	Contributing	SA-11 / PR.PS-06	Semantic

GDPR (OPEN_GOV)

Focal	Obligation	OLIR Rel.	Hub Ref	Rationale
Art. 32(1)	Security of processing	Contributing	SI-2 / PR.PS-02	Semantic
Art. 25(1)	Data protection by design	Contributing	SA-8 / GV.PO-01	Semantic
Art. 5(1)(f)	Integrity and confidentiality	Contributing	SI-2 / PR.PS-02	Semantic

NIS2 (OPEN_GOV)

Focal	Obligation	OLIR Rel.	Hub Ref	Rationale
Art. 21(2)(e)	Security in system acquisition/dev	Contributing	SR-3 / GV.SC-05	Semantic
Art. 21(2)(d)	Supply chain security	Contributing	SR-3 / GV.SC-05	Semantic
Art. 21(2)(b)	Incident handling	Contributing	IR-4 / RS.AN-02	Semantic

OWASP WordPress Security (OPEN_GOV)

Focal	Obligation	OLIR Rel.	Hub Ref	Rationale
WP-SEC-01	Keep WordPress core updated	Contributing	SI-2 / PR.PS-02	Semantic
WP-SEC-02	Keep plugins/themes updated	Equivalent	SI-2 / PR.PS-02	Syntactic
WP-SEC-05	Monitor for known vulnerabilities	Direct	RA-5 / ID.RA-01	Functional

Articles without contribution omitted. Full OLIR mapping available in Audit Pack export.

🎯 Buyer Guidance Decision support

✔ Consider When

+ Managing 10+ WordPress sites with dozens of third-party plugins
+ Need real-time vulnerability alerts for WordPress plugin/theme ecosystem
+ Hosting provider offering managed WordPress security services
+ GDPR compliance for WordPress-based data collection websites
+ Want virtual patching to protect sites before official plugin updates
+ Agency managing multiple client WordPress sites

❌ Avoid When

− Non-WordPress CMS (Drupal, Joomla — limited coverage)
− Need full-stack application security (SAST/DAST)
− Need network-level WAF protection
− Enterprise with custom-built (non-CMS) applications
− Need endpoint or infrastructure security
− Looking for general-purpose vulnerability management

⚙ Capabilities 19 claimed · 4 groups · DR-2 Quality Tiers + Config Modifiers

WordPress Vulnerability Detection 5✓ 0● 0✗▼

✓

Plugin vulnerability database

Largest open-source WordPress vulnerability DB (15K+ entries)

Specific Obl.Out-of-Box

✓

Theme vulnerability tracking

Known vulnerability detection for WordPress themes

Specific Obl.Out-of-Box

✓

WordPress core vulnerability alerts

Real-time alerts for WordPress core security issues

Control FamilyOut-of-Box

✓

Severity scoring (CVSS)

CVSS-based vulnerability prioritization

Generic ControlOut-of-Box

✓

Zero-day vulnerability alerts

Early warning via Patchstack Alliance bug bounty program

Specific Obl.Out-of-Box

Virtual Patching 3✓ 1● 0✗▼

✓

Automated virtual patches

vPatches deployed within 48h of vulnerability disclosure

Specific Obl.Out-of-Box

✓

Plugin-level firewall rules

Targeted protection rules per vulnerable component

Control FamilyOut-of-Box

✓

Auto-deployment of vPatches

No manual intervention required for virtual patch activation

Control FamilyOut-of-Box

●

Custom firewall rules

User-defined protection rules for specific scenarios

Generic ControlConfig Change

Plugin Monitoring 5✓ 0● 0✗▼

✓

Installed plugin inventory

Complete inventory of all plugins/themes across managed sites

Control FamilyOut-of-Box

✓

Plugin update tracking

Monitor available updates for all installed components

Generic ControlOut-of-Box

✓

Abandoned plugin detection

Identifies plugins no longer maintained by developers

Control FamilyOut-of-Box

✓

Multi-site management dashboard

Centralized view across all managed WordPress sites

Generic ControlOut-of-Box

✓

WordPress hardening checks

Security configuration audit for WP installations

Control FamilyOut-of-Box

Reporting & Alerts 4✓ 1● 0✗▼

✓

Real-time vulnerability alerts

Email/webhook notifications for new vulnerabilities

Specific Obl.Out-of-Box

✓

Security posture reports

Per-site and portfolio-level security reports

Generic ControlOut-of-Box

✓

Compliance evidence export

PDF/CSV export for audit evidence

Generic ControlOut-of-Box

✓

API access for integration

REST API for custom integrations and reporting

Control FamilyConfig Change

●

Slack/Teams notifications

Team collaboration tool integration

Data SurfacedConfig Change

🛡 MITRE ATT&CK Mapping Layer 4 — Derived via SP 800-53

M1051

Update Software

Full (claimed)

M1016

Vulnerability Scanning

Partial (claimed)

M1050

Exploit Protection

Partial (claimed)

Score: 2.5 / 5.0 (50%) — All vendor-claimed. Techniques addressed: T1190, T1505, T1059 (exploitation & web server compromise family). CMS-scoped coverage only.

▼ Show ATT&CK techniques detail

Technique	Name	How Addressed	Provenance
T1190	Exploit Public-Facing Application	Virtual patching blocks exploitation of known WordPress plugin vulnerabilities	DERIVED via M1050
T1505	Server Software Component	Detects vulnerable/malicious WordPress plugins and themes	DERIVED via M1051
T1059	Command and Scripting Interpreter	Virtual patches block injection attacks targeting CMS components	DERIVED via M1050

📄 Evidence Pack DR-2 §5.1 — Proof of value

✔

Vulnerability detection reports

Per-site vulnerability inventory with CVSS scoring. PDF/CSV export.

✔

Virtual patching deployment log

Audit trail of all vPatches applied across managed sites.

✔

Plugin inventory reports

Complete component inventory per WordPress installation.

✔

Security posture dashboard

Portfolio-level security scoring and trend analysis.

⚠

Compliance mapping (PCI DSS/GDPR)

Basic compliance evidence mapping for CMS scope.

❌

Third-party security assessment

Independent security audit of Patchstack platform.

Evidence level: Documentary review only (CL Listed). For verified evidence, upgrade to CAE (Examine + Interview) or EEE (+ Test).

⏱ Operational Metrics & Anti-Hype DR-2 §5.1 + §9.2

Metric	Patchstack Community (Free)	Patchstack Developer	Patchstack Business (Multi-site)
Implementation	< 1 day	1-3 days	1-2 weeks
FTE Required	0 FTE	0.1 FTE	0.25 FTE
Time to first value	Day 1 (vulnerability alerts active after plugin installation)
Time to production	Week 1-2 (all sites onboarded, virtual patching active, alerts configured)

Anti-Hype: Marketing vs. Reality

Largest WordPress vulnerability database

Verified. 15K+ vulnerability entries, maintained by Patchstack Alliance bug bounty community.

Verified

Virtual patches within 48 hours

Accurate for high-severity vulnerabilities. Lower severity may take longer. Coverage depends on vulnerability type.

Verified

Complete WordPress security solution

Covers vulnerability detection and virtual patching only. No malware scanning, no backup, no full WAF, no login protection.

Misleading

Zero performance impact

Lightweight plugin but virtual patching rules add minimal PHP processing overhead per request.

Partial

Protects against all WordPress attacks

Only protects against known vulnerabilities in the database. Zero-day attacks, brute force, and DDoS require additional tools.

Misleading

⚖ Strengths & Cautions

✔ Strengths

+ Largest open-source WordPress vulnerability database (15K+ entries)
+ Automated virtual patching within 48h of disclosure
+ Free community tier for basic vulnerability alerts
+ Patchstack Alliance bug bounty for early vulnerability discovery
+ Lightweight WordPress plugin with minimal performance impact
+ Multi-site portfolio management dashboard
+ Strong focus on WordPress plugin supply chain security

⚠ Cautions

! WordPress-only — very limited support for other CMS platforms
! Virtual patching is not a replacement for actual plugin updates
! No malware scanning or cleanup capabilities
! No full WAF — CMS-specific virtual patching only
! Limited compliance mapping (basic PCI DSS/GDPR only)
! Dependent on vulnerability database completeness
! All capabilities VENDOR-CLAIMED (no CL independent testing)

📈 Competitive Positioning Category 10 — CMS Security

Capability	Patchstack (anciennement WebARX) test	Wordfence	Sucuri	WPScan
Vulnerability database	✔	✔	✔	✔
Virtual patching	✔	●	✔	✗
WAF	✗	✔	✔	✗
Malware scanning	✗	✔	✔	✗
Multi-site management	✔	✔	✔	●
Free tier	✔	✔	✔	✔
Bug bounty program	✔	✗	✗	✗

Competitive data based on public information. CL has not evaluated these alternatives — for detailed assessment, see individual CL Listings.

📑 Framework Views Hub: CSF 2.0 + 800-53r5 + ISO 27001

▼ Show NIST SP 800-53, CSF 2.0, ISO 27001 mapping tables

NIST SP 800-53 Rev 5

Control	Name	Contribution	Provenance
SI-2	Flaw Remediation	direct	DERIVED via PCI DSS 6.3.3
RA-5	Vulnerability Monitoring & Scanning	direct	DERIVED via PCI DSS 6.3.1
SR-3	Supply Chain Controls & Processes	contributing	DERIVED via NIS2 Art. 21(2)(d)
CM-8	System Component Inventory	contributing	CL-ORIGINAL
SI-5	Security Alerts & Advisories	direct	CL-ORIGINAL

NIST CSF 2.0

Control	Name	Contribution	Provenance
IDENTIFY	ID.RA-01 Vulnerability identification	direct	DERIVED via RA-5
PROTECT	PR.PS-02 Software maintenance	direct	DERIVED via SI-2
IDENTIFY	ID.AM-02 Software inventory	contributing	CL-ORIGINAL
DETECT	DE.CM-09 Software monitoring	contributing	CL-ORIGINAL

ISO 27001:2022 Annex A

Control	Name	Contribution	Provenance
A.8.8	Management of technical vulnerabilities	direct	DERIVED via PCI DSS 6.3
A.8.19	Installation of software on operational systems	contributing	CL-ORIGINAL
A.5.21	Managing ICT supply chain security	contributing	DERIVED via NIS2-ISO
A.8.9	Configuration management	contributing	CL-ORIGINAL

▼ Show Vendor Security Practices (SSDF / CRA)

SSDF ID	Practice	Status
PW.1	Risk-based secure design	Claimed
RV.2	Timely vulnerability remediation	Claimed
PO.5	Secure development environment	Unknown
PS.3	SBOM available	Not stated
RV.1	Vulnerability disclosure program	Claimed
PS.2	Code signing	Not stated

Compliance Labs · Software Listing v3.5 · OLIR Schema Hub: CSF 2.0 ↔ 800-53r5 ↔ ISO 27001 · Avril 2026