The Gutenberg Editor was released recently as a plugin for beta testing. Please note THIS IS A BETA PLUGIN AND SHOULD NOT BE USED IN PRODUCTION. If you’re not familiar with the Gutenberg Editor, it’s a reimagining of the post and page editor in WordPress slated for release with version 5.
“The editor will endeavour to create a new page and post building experience that makes writing rich posts effortless, and has “blocks’ to make it easy what today might take shortcodes, custom HTML, or “mystery meat’ embed discovery. ” –Matt Mullenweg
It’s been the focus of the vast majority of the work towards WordPress core this year. Given their goals and how it appears to be working so far (they are making a TON of progress), this could drastically change how we build out sites, and how users interact with their content.
There are nine unfixed vulnerabilities across five plugins this week. The vast majority of this week’s unfixed vulnerabilities all come from a single author. Unfortunately, he reused the same chunk of vulnerable code across all of his plugins. Specifically, when processing POST data, he did not include a nonce or other check to ensure that user intended to initiate the save action, leaving his code open to a Cross-Site Request Forgery vulnerability. In addition, there is no validation, filtering or sanitation performed on the data before he saves the information to the database. He then later echoes that data back out to the browser without any escaping leaving the code, and more importantly the user, open to Cross-Site Scripting vulnerabilities. An attacker could therefore combine these two vulnerabilities to steal an Admin’s session IDs on a target WordPress site.
Speaking of WPCampus, they just announced this week that WPCampus 2017 will be livestreamed for FREE!! The lineup looks fantastic this year, with a ton of incredible information. Even if you don’t work with WordPress, there are numerous sessions that are platform-agnostic. Go ahead and block off your calendar for Friday, July 14th and make time to tune back in on Saturday, July 15th. You definitely don’t want to miss this.
HighEdWeb also announced their schedule for the upcoming annual conference in Hartford, CT. I’ll be doing a pre-conference workshop this year, but will otherwise not be speaking. Instead I’m serving as co-chair for the Development, Programming and Architecture (DPA) track. And let me just warn you, the DPA track has some amazing talks lined up this year. You should probably just go ahead and plan on staying in the track for both days. 😀
Even if you aren’t interested in DPA, HighEdWeb is always an amazing conference. I understand budgets are tight, but it is well worth your money, even if you have to pay for trip yourself. I highly encourage you to go ahead and register today.
Sorry for not getting this out on Friday. Last week was… crazy. And Friday ended up being way busier than I anticipated.
There are four plugins this week (Count per Day, WP Testimonials, Skype Legacy Buttons, WP Posts Carousel) with known issues but no fixes currently available. WP Testimonials hasn’t been updated for four or five years, so it’s probably safe to say it isn’t going to be updated. If you’re using it, you should consider finding a replacement. The other item I want to draw attention to is the Eduma Education Theme. Since it isn’t the WordPress plugin repository, I’m unsure if you receive an admin notification about the update. If you’re using Eduma, please make sure you update.
The big news last week was the release of WordPress 4.8 “Evans”. There were no security fixes in this release (at least not according to the changelog), but it does include 225 bug fixes and numerous user interface improvements. The biggest one includes the introduction of Image, Video Audio and Rich Text Widgets. These new widgets will allow your end users to add media and formatted text to widget areas, where before they would have had to know HTML. They also added a REST API endpoint for the new media widgets, which opens up the possibilities for even more media-focused widgets. If you haven’t already, definitely upgrade.
A couple of quick notes on some of the items in this week’s report. With the plugin eventr, version 1.02.0 through 1.02.2 are definitely vulnerable to the SQL Injection flaws @_larry0 discovered. What’s particularly interesting is the authored used prepared queries elsewhere in the codebase, even in the same file. So the author knew about prepared statements, and how to use them but for some reason didn’t in these areas. In addition, versions 1.01.2 and earlier, while not vulnerable to the vulnerabilities @_larry0 disclosed suffer from other SQL Injection vulnerabilities. If you’re using this plugin, I would strongly encourage you to remove it and find a different one to replace it.
In regards to the Cross-Site Scripting and File Disclosure vulnerabilities in Tribulant Newsletters (free and pro) disclosed by DefenseCode, while DefenseCode claims they’ve been fixed by the vendor, a quick look through the free version (126.96.36.199) shows that they most definitely have NOT been fixed. This plugin is riddled with XSS vulnerabilities and the file disclosure is still there as well. I don’t know if the author originally fixed them when contacted and then somehow accidentally reverted to the old codebase between when s/he released 4.6.5 and the later versions, or if they never actually fixed the issues, but told DefenseCode they had. Either way, the vulnerabilities still exist. so I’d suggest removing this one and look for a suitable replacement.
UPDATE: While I was writing this post, the author released version 4.6.6 which addresses the Cross-Site Scripting issues. However, the file disclosure vulnerability still exists, and I’m still seeing at least one other possible stored XSS vulnerability. My recommendation to remove stands.
WordPress version 4.8 is still on track to be released this coming Thursday, June 8th. To that end, the core team announced the availability of the second Release Candidate for 4.8. You can grab it here if you’d like to test it out. As I mentioned previously, 4.8 will include multiple new widget options, as well as a revamped TinyMCE editor. Be ready to start updating next week.
Several critical vulnerabilities this week. Of note is that all of the critical vulnerabilities are in plugins that have not been updated in more than two years. While not having an update for two years isn’t a conclusive indicator that a plugin has been abandoned (the version of wpDirAuth from two years ago – 1.7.9 – works just fine in WordPress v4.7.5), it should give you pause.
Before selecting a plugin that hasn’t been updated recently, you should check the forums to see if the developer is still responding to users. This should also remind all of us that we need to go back every once in awhile and reevaluate the plugins we have installed to make sure they haven’t been abandoned.
Only one critical vulnerability this week. I would suggest removing it until the author finishes his fixes (he’s almost finished). Otherwise, all of the rest of this week’s vulnerabilities have updates immediately available.
The big news this week was the release of 4.7.5 which addressed six security-related issues, and three maintenance items. Considering this is a security-focused update, if you don’t have the auto-updates enabled, and you haven’t already upgraded, you need to do so as soon as possible.
Unfortunately, 4.7.5 didn’t address CVE-2017-8295 aka the unauthenticated password reset vulnerability. While I’ve stated previously that this particular vulnerability has a narrow attack surface, it’s still a vulnerability that is actively being targeted and remains in all versions of WordPress. I find it particularly odd that the core team still hasn’t addressed it considering it should be easy enough to correct: use
get_site_url() instead of $_SERVER[‘SERVER_NAME’] in pluggable.php.
The WordPress security team also announced they now have an official bug bounty program on HackerOne. They’ve already awarded $3,700 in bounties. Not only does it cover the WordPress project but includes BuddyPress, bbPress, GlotPress, WP-CLI, and all of their associated sites, plus WordCamp.org. Might be a nice little way to contribute to WordPress and make some money on the side. 😀
If you work in Higher Education and are located in the south-western region of Missouri, don’t miss out on the HighEdWeb Regional conference this Monday, May 22 at 8am. This will be a hand’s-on workshop where we cover the top web application security risks, and then use them to attack a vulnerable web application. I promise you it’ll be fun! While it is free, space is limited though, so make sure if you think you might want to go, you need to sign-up ASAP to reserve your spot!
This week’s report is fairly light, with no major critical issues. Given the report’s light reading, I would encourage you to read Wordfence‘s post from this week on “22 Abandoned WordPress Plugins with Vulnerabilities” as it highlights a major area of concern when it comes to WordPress: communicating to users that a vulnerability exists in a plugin they are using. Please look over the list and make sure you aren’t using any of the ones listed, and if you are, start looking for alternatives.
Last Saturday the WordPress version 4.8 release date was announced: June 8th. Beta 1 should be available later today with the Release Candidate targeted for May 25th. 4.8 is the first major version released in 2017, and is a stepping-stone toward releasing the new Gutenberg editor in WordPress. In addition it should include a new WYSIWYG widget, and several media widgets.
If you use wpDirAuth, please note that I released a fairly substantial upgrade yesterday. The biggest changes were the addition of several hooks that can be used to modify/extend wpDirAuth to your institution’s specific requirements without having to modify the plugin directly. I also added a cookie expiration setting into the settings area so you can more easily change the one hour default to something else without having to add code to your theme’s function file.
The other big news this week was the two disclosures concerning WordPress core: Unauthorized Password Reset and Unauthenticated Remote Code Execution vulnerabilities. Ryan Dewurst (of the WPScan team) did an excellent write-up on these two vulnerabilities, and I encourage you to read it. The TL;DR: keep your WordPress instance up-to-date and if you aren’t on the latest branch (4.7.X) you need to get moved over.
For the Password Reset vulnerability it’s important to note that the scenarios under which this attack can be exploited are limited. In addition, if you are limiting access to the login area by IP address, which I strongly recommend, then this attack is mostly mitigated unless the attack is happening from inside your allowed network ranges. I’ll admit though, I’m a little disappointed in the Core team that they didn’t fix this when it was first reported to them, considering it shouldn’t be that hard to fix. Hopefully we’ll see them address it v4.7.5.
Interestingly, both issues revolve around the same issue I corrected in the last update to my wpDirAuth plugin: using the _SERVER variables SERVER_NAME and HTTP_HOST. As I have said previously, all data is tainted. If you didn’t write it into your code yourself, you can’t trust it.
This week’s report is, fortunately, not too bad. Just six disclosures. There were two more that I saw information on, but was unable to confirm. My guess is that if they turn out to be legit, we’ll see them pop up in the next week.
Probably the biggest piece of news this week is the announcement by Matt that WordPress will be officially dropping support for Internet Explorer less than version 11.
“…we are officially ending support for Internet Explorer versions 8, 9, and 10, starting with WordPress 4.8.”
The other piece of news (well, less “news” and more awareness) is that of WordPress 4.7.4 they included the latest release of TinyMCE. That version of TinyMCE includes a change to how it handles links that open in new windows.
“…all links with a target of _blank will get a rel attribute of noopener noreferrer.”
If you’re unfamiliar with noopener, it prevents a page being opened in a new window/tab from having access to the window.opener object, an issue called Tabnapping. Firefox doesn’t support noopener, so you have to include noreferrer. Read more about how the vulnerability manifests itself. If you noticed these showing up in your links, now you know it’s there to protect your users.
WordCamp Kansas City
WordCamp Kansas City (#wckc) kicks off today. Unfortunately, I won’t be there today, but will be speaking tomorrow morning at nine, and then will be attending the rest of the day. Definitely looking forward to seeing everyone!