This week’s report.
Several critical vulnerabilities this week. Of note is that all of the critical vulnerabilities are in plugins that have not been updated in more than two years. While not having an update for two years isn’t a conclusive indicator that a plugin has been abandoned (the version of wpDirAuth from two years ago – 1.7.9 – works just fine in WordPress v4.7.5), it should give you pause.
Before selecting a plugin that hasn’t been updated recently, you should check the forums to see if the developer is still responding to users. This should also remind all of us that we need to go back every once in awhile and reevaluate the plugins we have installed to make sure they haven’t been abandoned.
This week’s report.
Only one critical vulnerability this week. I would suggest removing it until the author finishes his fixes (he’s almost finished). Otherwise, all of the rest of this week’s vulnerabilities have updates immediately available.
The big news this week was the release of 4.7.5 which addressed six security-related issues, and three maintenance items. Considering this is a security-focused update, if you don’t have the auto-updates enabled, and you haven’t already upgraded, you need to do so as soon as possible.
Unfortunately, 4.7.5 didn’t address CVE-2017-8295 aka the unauthenticated password reset vulnerability. While I’ve stated previously that this particular vulnerability has a narrow attack surface, it’s still a vulnerability that is actively being targeted and remains in all versions of WordPress. I find it particularly odd that the core team still hasn’t addressed it considering it should be easy enough to correct: use
get_site_url() instead of $_SERVER[‘SERVER_NAME’] in pluggable.php.
The WordPress security team also announced they now have an official bug bounty program on HackerOne. They’ve already awarded $3,700 in bounties. Not only does it cover the WordPress project but includes BuddyPress, bbPress, GlotPress, WP-CLI, and all of their associated sites, plus WordCamp.org. Might be a nice little way to contribute to WordPress and make some money on the side. 😀
If you work in Higher Education and are located in the south-western region of Missouri, don’t miss out on the HighEdWeb Regional conference this Monday, May 22 at 8am. This will be a hand’s-on workshop where we cover the top web application security risks, and then use them to attack a vulnerable web application. I promise you it’ll be fun! While it is free, space is limited though, so make sure if you think you might want to go, you need to sign-up ASAP to reserve your spot!
This week’s vulnerability report.
This week’s report is fairly light, with no major critical issues. Given the report’s light reading, I would encourage you to read Wordfence‘s post from this week on “22 Abandoned WordPress Plugins with Vulnerabilities” as it highlights a major area of concern when it comes to WordPress: communicating to users that a vulnerability exists in a plugin they are using. Please look over the list and make sure you aren’t using any of the ones listed, and if you are, start looking for alternatives.
Last Saturday the WordPress version 4.8 release date was announced: June 8th. Beta 1 should be available later today with the Release Candidate targeted for May 25th. 4.8 is the first major version released in 2017, and is a stepping-stone toward releasing the new Gutenberg editor in WordPress. In addition it should include a new WYSIWYG widget, and several media widgets.
If you use wpDirAuth, please note that I released a fairly substantial upgrade yesterday. The biggest changes were the addition of several hooks that can be used to modify/extend wpDirAuth to your institution’s specific requirements without having to modify the plugin directly. I also added a cookie expiration setting into the settings area so you can more easily change the one hour default to something else without having to add code to your theme’s function file.
This week’s report.
The other big news this week was the two disclosures concerning WordPress core: Unauthorized Password Reset and Unauthenticated Remote Code Execution vulnerabilities. Ryan Dewurst (of the WPScan team) did an excellent write-up on these two vulnerabilities, and I encourage you to read it. The TL;DR: keep your WordPress instance up-to-date and if you aren’t on the latest branch (4.7.X) you need to get moved over.
For the Password Reset vulnerability it’s important to note that the scenarios under which this attack can be exploited are limited. In addition, if you are limiting access to the login area by IP address, which I strongly recommend, then this attack is mostly mitigated unless the attack is happening from inside your allowed network ranges. I’ll admit though, I’m a little disappointed in the Core team that they didn’t fix this when it was first reported to them, considering it shouldn’t be that hard to fix. Hopefully we’ll see them address it v4.7.5.
Interestingly, both issues revolve around the same issue I corrected in the last update to my wpDirAuth plugin: using the _SERVER variables SERVER_NAME and HTTP_HOST. As I have said previously, all data is tainted. If you didn’t write it into your code yourself, you can’t trust it.