Photo above by Joshua Earle
This week’s vulnerable plugins report.
See my post over at WPCampus.org for information on this week’s report and other security news.
The Gutenberg Editor was released recently as a plugin for beta testing. Please note THIS IS A BETA PLUGIN AND SHOULD NOT BE USED IN PRODUCTION. If you’re not familiar with the Gutenberg Editor, it’s a reimagining of the post and page editor in WordPress slated for release with version 5.
“The editor will endeavour to create a new page and post building experience that makes writing rich posts effortless, and has “blocks’ to make it easy what today might take shortcodes, custom HTML, or “mystery meat’ embed discovery. ” –Matt Mullenweg
It’s been the focus of the vast majority of the work towards WordPress core this year. Given their goals and how it appears to be working so far (they are making a TON of progress), this could drastically change how we build out sites, and how users interact with their content.
Just FYI, I’m also posting the weekly list over at WPCampus so that the information reaches more people, specifically in Higher Education.
This week’s list.
There are nine unfixed vulnerabilities across five plugins this week. The vast majority of this week’s unfixed vulnerabilities all come from a single author. Unfortunately, he reused the same chunk of vulnerable code across all of his plugins. Specifically, when processing POST data, he did not include a nonce or other check to ensure that user intended to initiate the save action, leaving his code open to a Cross-Site Request Forgery vulnerability. In addition, there is no validation, filtering or sanitation performed on the data before he saves the information to the database. He then later echoes that data back out to the browser without any escaping leaving the code, and more importantly the user, open to Cross-Site Scripting vulnerabilities. An attacker could therefore combine these two vulnerabilities to steal an Admin’s session IDs on a target WordPress site.
Speaking of WPCampus, they just announced this week that WPCampus 2017 will be livestreamed for FREE!! The lineup looks fantastic this year, with a ton of incredible information. Even if you don’t work with WordPress, there are numerous sessions that are platform-agnostic. Go ahead and block off your calendar for Friday, July 14th and make time to tune back in on Saturday, July 15th. You definitely don’t want to miss this.
HighEdWeb also announced their schedule for the upcoming annual conference in Hartford, CT. I’ll be doing a pre-conference workshop this year, but will otherwise not be speaking. Instead I’m serving as co-chair for the Development, Programming and Architecture (DPA) track. And let me just warn you, the DPA track has some amazing talks lined up this year. You should probably just go ahead and plan on staying in the track for both days. 😀
Even if you aren’t interested in DPA, HighEdWeb is always an amazing conference. I understand budgets are tight, but it is well worth your money, even if you have to pay for trip yourself. I highly encourage you to go ahead and register today.
Last week’s report.
Sorry for not getting this out on Friday. Last week was… crazy. And Friday ended up being way busier than I anticipated.
There are four plugins this week (Count per Day, WP Testimonials, Skype Legacy Buttons, WP Posts Carousel) with known issues but no fixes currently available. WP Testimonials hasn’t been updated for four or five years, so it’s probably safe to say it isn’t going to be updated. If you’re using it, you should consider finding a replacement. The other item I want to draw attention to is the Eduma Education Theme. Since it isn’t the WordPress plugin repository, I’m unsure if you receive an admin notification about the update. If you’re using Eduma, please make sure you update.
The big news last week was the release of WordPress 4.8 “Evans”. There were no security fixes in this release (at least not according to the changelog), but it does include 225 bug fixes and numerous user interface improvements. The biggest one includes the introduction of Image, Video Audio and Rich Text Widgets. These new widgets will allow your end users to add media and formatted text to widget areas, where before they would have had to know HTML. They also added a REST API endpoint for the new media widgets, which opens up the possibilities for even more media-focused widgets. If you haven’t already, definitely upgrade.
This week’s report.
A couple of quick notes on some of the items in this week’s report. With the plugin eventr, version 1.02.0 through 1.02.2 are definitely vulnerable to the SQL Injection flaws @_larry0 discovered. What’s particularly interesting is the authored used prepared queries elsewhere in the codebase, even in the same file. So the author knew about prepared statements, and how to use them but for some reason didn’t in these areas. In addition, versions 1.01.2 and earlier, while not vulnerable to the vulnerabilities @_larry0 disclosed suffer from other SQL Injection vulnerabilities. If you’re using this plugin, I would strongly encourage you to remove it and find a different one to replace it.
In regards to the Cross-Site Scripting and File Disclosure vulnerabilities in Tribulant Newsletters (free and pro) disclosed by DefenseCode, while DefenseCode claims they’ve been fixed by the vendor, a quick look through the free version (18.104.22.168) shows that they most definitely have NOT been fixed. This plugin is riddled with XSS vulnerabilities and the file disclosure is still there as well. I don’t know if the author originally fixed them when contacted and then somehow accidentally reverted to the old codebase between when s/he released 4.6.5 and the later versions, or if they never actually fixed the issues, but told DefenseCode they had. Either way, the vulnerabilities still exist. so I’d suggest removing this one and look for a suitable replacement.
UPDATE: While I was writing this post, the author released version 4.6.6 which addresses the Cross-Site Scripting issues. However, the file disclosure vulnerability still exists, and I’m still seeing at least one other possible stored XSS vulnerability. My recommendation to remove stands.
WordPress version 4.8 is still on track to be released this coming Thursday, June 8th. To that end, the core team announced the availability of the second Release Candidate for 4.8. You can grab it here if you’d like to test it out. As I mentioned previously, 4.8 will include multiple new widget options, as well as a revamped TinyMCE editor. Be ready to start updating next week.