A couple of quick notes on some of the items in this week’s report. With the plugin eventr, version 1.02.0 through 1.02.2 are definitely vulnerable to the SQL Injection flaws @_larry0 discovered. What’s particularly interesting is the authored used prepared queries elsewhere in the codebase, even in the same file. So the author knew about prepared statements, and how to use them but for some reason didn’t in these areas. In addition, versions 1.01.2 and earlier, while not vulnerable to the vulnerabilities @_larry0 disclosed suffer from other SQL Injection vulnerabilities. If you’re using this plugin, I would strongly encourage you to remove it and find a different one to replace it.
In regards to the Cross-Site Scripting and File Disclosure vulnerabilities in Tribulant Newsletters (free and pro) disclosed by DefenseCode, while DefenseCode claims they’ve been fixed by the vendor, a quick look through the free version (22.214.171.124) shows that they most definitely have NOT been fixed. This plugin is riddled with XSS vulnerabilities and the file disclosure is still there as well. I don’t know if the author originally fixed them when contacted and then somehow accidentally reverted to the old codebase between when s/he released 4.6.5 and the later versions, or if they never actually fixed the issues, but told DefenseCode they had. Either way, the vulnerabilities still exist. so I’d suggest removing this one and look for a suitable replacement.
UPDATE: While I was writing this post, the author released version 4.6.6 which addresses the Cross-Site Scripting issues. However, the file disclosure vulnerability still exists, and I’m still seeing at least one other possible stored XSS vulnerability. My recommendation to remove stands.
WordPress version 4.8 is still on track to be released this coming Thursday, June 8th. To that end, the core team announced the availability of the second Release Candidate for 4.8. You can grab it here if you’d like to test it out. As I mentioned previously, 4.8 will include multiple new widget options, as well as a revamped TinyMCE editor. Be ready to start updating next week.