20170414 Vulnerable Plugins Report and other WordPress News

This week’s report.

Vulnerable Plugins

This week’s report is pretty large.  Mostly due to the disclosure by DefenseCode that 50+ plugins from the company BestWebSoft contained multiple Cross-Site Scripting vulnerabilities.  Essentially, if you have one of their plugins, you need to see if there is an update for it yet.  The vendor is working to update all of them, but with that many, it’s going to take awhile.  In this week’s report, I’ve marked which ones have been updated at the time when I created the report. It’s very possible they have updated more of them.  If you use one of their plugins and need it, I’d keep checking the plugin’s page for an update.

WordPress Updates

The 4.7.4 update has been moved up from the first week of May to Tuesday, April 18th with Thursday, April 19th as a fallback date.  It seems there was a bug they weren’t going to be able to fix in time for the May release, and the security team wanted to get the 4.7.4 out sooner than mid-May.  My guess then is that there will be an important security update in 4.7.4 so be prepared to update on Tuesday next week.

WordPress 4.8

Matt (Mullenweg) posted his First Quarter Check-In yesterday.  In it he states he wants to see a v4.8 upgrade released in late May, early June. From his State-of-the-Word address, I had assumed we wouldn’t see a major upgrade until fall, if at all this year. I know there’s been some work on media/image widgets and TinyMCE updates, so maybe he’s planning on pushing those out as the 4.8 upgrade?

Other WordPress Security Stuff

In case you missed it, Wordfence released a great post on how home routers are being hacked and used to launch attacks against WordPress sites.  Routers using the Allegro RomPager 4.07 embedded web server (of which there are over 200 models) are vulnerable to Misfortune Cookie (CVE-2014-9222).

The Misfortune Cookie vulnerability is due to an error within the HTTP cookie management mechanism…  attackers can send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application and system state… trick[ing] the attacked device to treat the current session with administrative privileges

What Wordfence noticed was IPs that would come on, perform a few attacks against WordPress sites and then switch back, sometimes for up to a month at a time.

What we have found is a botnet that is distributed across thousands of IPs. Each IP is only performing a few attacks, those attacks are spread across many websites and the attacks only last a few minutes or hours.

Because the attacker is spreading the attacks across a large pool of IPs and only for a short time on any given IP of the low frequency, it can go unnoticed.  It’s entirely possible that other CMSes are also being targeted but because of the distributed of IPs and low-volume are doing undetected.  In addition to checking your router’s make/model against the list linked above, Wordfence has also made a tool available to check to see if your router is vulnerable.