WordPress contributors, developers, and community members are currently debating a proposal to would implement a new policy regarding security support for older versions. The discussion began last week when security team lead Jake Spurlock asked for feedback on different approaches to backporting security fixes to older versions. Following up on this discussion, Ian Dunn, a…
The WordPress Security Team is exploring different approaches to backporting security fixes to older versions of the software. The effort that goes into supporting versions back to 3.7 (the release that introduced automatic background updates) increases with each major version released. “For the Core Security team, that means when security updates need to be released,…
There’s a new release of WP Super Cache (1.6.9) available that patches a security issue discovered in the debug log. The vulnerability can only be exploited if users have debugging enabled. It’s highly recommended that all users upgrade to 1.6.9 to patch the security issue. Details of the vulnerability will be published after users have…
Those who use the All-in-One WP Migration plugin are encouraged to update to version 7.0 as soon as possible as 6.97 contains an admin backend cross-site-scripting vulnerability. An attacker would already have to be able to either compromise the database or gain access to a user account with high enough privileges to view the backup…
In this episode, John James Jacoby and I discuss an article published by Vox on how Slack is not improving productivity, especially in large team environments. We highlight what’s new in WordPress 5.2.1, why libraries are important to the communities they serve, and new security features in WordPress 5.2. At the end of the show,…
WordPress 5.2, released earlier this month, added the first step towards fully secure updates with offline digital signatures. Scott Arciszewski, Chief Development Officer for Paragon Initiative Enterprises, explains how it works and how developers can migrate away from mcrypt to libsodium. When your WordPress site installs an automatic update, from version 5.2 onwards, it will…
A security service called Plugin Vulnerabilities, founded by John Grillot, is taking a vigilante approach to addressing grievances against WordPress.org support forum moderators. The company is protesting the moderators’ actions by publishing zero-day vulnerabilities (those for which no patch has been issued) and then attempting to contact the plugin author via the WordPress.org support forums:…
Over the weekend, Pipdig, a small commercial theme company, has been at the center of a scandal after multiple reports exposed a litany of unethical code additions to its Pipdig Power Pack (P3) plugin. On Friday, March 29, Wordfence threat analyst Mikey Veenstra published a report with code examples of the backdoors Pipdig built into…
In this episode, John James Jacoby and I are joined by Sandy Edwards. Sandy gave us a behind the scenes look at what it takes to organize a WordPress event for children and teens. She also provides background information on a new group that’s been formed called the Kids Events Working Group. This group is…
WordPress 5.1.1 was released yesterday evening with an important security update for a critical cross-site scripting vulnerability found in 5.1 and prior versions. The release post credited Simon Scannell of RIPS Technologies for discovering and reporting the vulnerability. Scannell published a post summarizing how an unauthenticated attacker could take over any WordPress site that has…
Freemius, a monetization, analytics, and marketing library for WordPress plugin and theme developers, patched an authenticated option update vulnerability in its wordpress-sdk four days ago. The library is included with many popular plugins, such as NextGEN Gallery (1,000,000+ installs), 404 – 301 (100,000+ installs), WP Security Audit Log (80,000+ installs), and FooGallery (100,000 installs+). Freemius…
Bootstrap has released versions 4.3.1 and 3.4.1 to patch an XSS vulnerability (CVE-2019-8331) that was reported to the Bootstrap Drupal project by a developer and then responsibly disclosed to the Bootstrap development team. The vulnerability specifically affects usage of the tooltip and popover features: Earlier this week a developer reported an XSS issue similar to…
WPBrigade, the developers behind the Simple Social Buttons plugin, have patched a critical privilege escalation vulnerability. The security issue was discovered by the team at WebARX. Developer and researcher Luka Šikić summarized the vulnerability in a post published this week: Improper application design flow, chained with lack of permission check resulted in privilege escalation and…
Over the weekend, many WPML customers received an unauthorized email from someone who claimed to have hacked the company’s website and gained access to customer emails. WPML founder Amir Helzer suspects that the attacker is a former employee. “The customer is an ex-employee who left an exploit on the server (not WPML plugin) before leaving.…
On Saturday, January 19, WPML customers started reporting having received an email from someone who seems to have hacked the plugin’s website and gained access to customer information. https://twitter.com/gytisrepecka/status/1086753453429481473 The hacker claims to be a disgruntled customer who had two websites hacked due to vulnerabilities in the WPML plugin: WPML came with a bunch of…