Patchstack is reporting an Insecure Direct Object References (IDOR) vulnerability in WooCommerce Stripe Gateway, the most popular WooCommerce Stripe payment plugin with more than 900,000 active users. It was discovered by Patchstack researcher Rafie Muhammad on April 17, 2023, and patched by WooCommerce on May 30, 2023, in version 7.4.1. The security advisory describes the…
On the podcast today we have Robert Abela. Robert is the CEO and founder of MelaPress, formerly known as WP White Security. They make niche WordPress security and admin plugins. He has over 18 years experience in the IT and software industries, and has written numerous web security articles and white papers. We all know…
WordPress 6.2.2 was released early this morning as a rapid follow-up to 6.2.1, which introduced a bug that broke shortcode support in block templates. Version 6.2.1 was also an important security release, but due to the catastrophic breakage for those using shortcodes in block templates, some users were implementing insecure workarounds or simply downgrading to…
WordPress 6.2.1 was released today. Those with automatic background updates enabled should see a notice in their email, as updates rolled out earlier today. This is a maintenance and security release that includes important fixes for five security vulnerabilities outlined by core contributor and release co-lead Jb Audras: The patches were backported to WordPress 4.1.…
Essential Addons for Elementor, a plugin with more than a million active installs, has patched an unauthenticated privilege escalation vulnerability in version 5.7.2. The vulnerability was discovered on May 8, 2023, and reported by Patchstack researcher Rafie Muhammad. It was given a 9.8 (Critical severity) CVSS 3.1 score and is not yet known to have been…
Advanced Custom Fields (ACF) has patched a reflected XSS vulnerability that affects versions 6.1.5 and below of ACF and ACF Pro, potentially impacting more than 2+ million users. It was discovered by Patchstack researcher Rafie Muhammad in May 2, 2023, and patched by ACF developers in version 6.1.6 on May 4, 2023. Patchstack published a security…
WooCommerce Payments, a plugin that allows WooCommerce store owners to accept credit and debit card payments and manage transactions inside the WordPress dashboard, has patched an Authentication Bypass and Privilege Escalation vulnerability with a 9.8 (Critical) CVSS score. The plugin is active on more than 500,000 websites. Beau Lebens, WooCommerce’s Head of Engineering, published an…
Patchstack, a WordPress security maintenance and management tool, has published its “State of WordPress Security” whitepaper for 2022, tracking a few key metrics on publicly reported vulnerabilities. The findings highlight the risk of using unmaintained themes and plugins along with developers’ need to keep pace with updates to libraries and dependencies included in their work.…
Wordfence has published the details of two stored XSS vulnerabilities the company responsibly disclosed to the developers of the All In One SEO plugin in January 2023. The vulnerabilities potentially impacted more than 3 million users on versions 4.2.9 and earlier. One vulnerability, which received a 6.4 (Medium) CVSS score, Wordfence attributes to insufficient input…
On the podcast today we have Robert Rowley. Robert is Patchstack’s security advocate, where his time is spent interacting with open source communities to share the word about security best practices. Given his background, the podcast today is all about internet security. We start off with a topic which is very much in the news…
Security researchers at Doctor Web, a security company focused on threat detection and prevention, have discovered a malicious Linux program that targets WordPress sites running outdated and vulnerable plugins and themes. The malware targets 32-bit versions of Linux, but it is also capable of running on 64-bit versions. It exploits 30 theme and plugin vulnerabilities…
In September, WordPress’ Security Team announced it would be dropping support for versions 3.7 through 4.0 by December 1, 2022. Yesterday the final releases for these versions (3.7.41, 3.8.41, 3.9.40, and 4.0.38) were made available to the very small percentage of users who are running ancient versions of WordPress. As part of the final releases,…
BackupBuddy, a commercial plugin from iThemes that performs scheduled backups with remote storage options, has patched a vulnerability that allowed for arbitrary file download by unauthenticated users. iThemes published an advisory for its users, indicating that the vulnerability affects versions 8.5.8.0 through 8.7.4.1 and is being actively exploited. Wordfence reviewed its data and found that…
WordPress’ Security Team announced it will be dropping support for versions 3.7 through 4.0 on December 1, 2022. To give some context for how old these versions are, in 2013, WordPress 3.7 introduced automatic background updates and 3.8 updated the admin with a new design based on the MP6 plugin. WordPress’ official policy is that…
On the podcast today we have Akshat Choudhary. Akshat is the Founder and CEO of BlogVault, MalCare, WP Remote and Airlift. These WordPress plugins allow their customers to build, manage and maintain their WordPress websites. He’s based in Bangalore, India and we begin the podcast talking about the state of the WordPress community there. We…