Patchstack Weekly #59: Do You Need Virtual Patches?

Published 13 February 2023
Updated 23 November 2023
Robert Rowley
Author at Patchstack
Table of Contents

Welcome to the Patchstack Weekly Security Update, Episode 59! This update is for week 7 of 2023.

This week’s knowledge share will be about virtual patching. I will explain how it works, why vPatching through Patchstack is different, and how it can save you from a lot of stress and anxiety when it comes to deciding when to update your site’s components.

Then, in this week’s vulnerability roundup, I will share the story of one plugin that patched a lot of security bugs in a single release. A heroic effort by the developer, but end users may receive a lot of alerts if they haven’t updated yet.

Do you need Virtual Patches?

Everyone knows software has updates, but not all updates are equal. Some updates add minimal features, and some updates secure the software, but on rare occasions, some software updates break the thing they’re updating.

This inequality of update importance has led to some site owners either opting out of updates outright, at least until they can monitor that the patch does not break things.

This delay can lead to security patches not being applied in a timely manner. This is where virtual patching comes into play.

What is a Virtual Patch?

Virtual patching is a term used when a software patch can be applied without updating the software itself. Typically using another technology layer like a WAF (Web Application Firewall) on the web server.

It is mostly used in the information security field as a way to secure software temporarily until a time that the software can be patched formally. It acts as a stop-gap when patches are delayed.

Patchstack has built the vPatch system, a specific method that provides auto-mitigation to open-source software security vulnerabilities through crowdsourced security research and AI/ML based source code analysis.

This is why vPatching is a valuable tool to have for any WordPress website where updates are not automated. In the event of a security bug being discovered in a plugin or theme, a vPatch buys you time to perform the update on your schedule.

vPatching is also handy if you encounter a bug in the update process. The extra protection vPatching provides gives you the option to downgrade back to the known working (but insecure) version of a plugin to work out the problem. Keeping the site online while you troubleshoot.

That is not all vPatching helps with; it can also be a last line of defense if you are using unpatched or unsupported software.

Protection from unpatched vulnerabilities

It is an unfortunate reality that not all open source projects are actively developed. I have written about this issue before, and even wrote some last patches for WordPress plugins that have been abandoned.

A vPatch is the only option to secure your website if a vulnerability is identified in an abandoned plugin. The vPatch will protect the website until you can find the time to find a replacement for the abandoned component that is putting your site at risk.

Of course, Patchstack offers vPatches for all paid Patchstack app accounts. If you are interested in being in control of how and when patches get applied but do not want to compromise site security, then you should be sure you have vPatching in place to protect your sites in the meantime.

Vulnerability roundup

Wicked Folders by wicked plugins. Active installations: 20,000+

This week’s vulnerability roundup is all about one plugin, and twenty patched bugs. The plugin is Wicked Folders, the twenty bugs can be classified as either Missing authorization or Cross-Site-Request-Forgery. Both bugs are considered a Medium severity, and may not apply to you at all because they require a subscriber level account or to trick logged in users to follow links.

It appears a researcher familiar with finding these two types of security bugs audited the plugin and found 10 API endpoints that lacked nonce or authorization checks. I am unsure if Wicked Folders paid for an audit or if this was found independently. But it shows someone was looking for as many instances of these bugs as they could find.

The developer did a great job providing the patch back on February 6th and noted in the changelogs that this update includes security patches. Now, it is all up to the users to get their site(s) updated.

If you run a site with Wicked Folders and have not yet updated, you may receive a lot of notifications about this. Twenty notifications to be specific. This is because the CNA requesting CVE numbers reported 2 vulnerabilities for each of the 10 API endpoints that lacked nonce or authorization checks. This may result in a little alert fatigue or a temporary spell of anxiety when you see your inbox full of alerts. Don’t worry though, all twenty of those CVEs are addressed in a single release and none are an emergency. So, update away at your convenience, and be certain the developer for Wicked Folders is attentive to security bugs (even 20 at a time!)

Thanks and appreciation

This week’s thanks goes out to the developer of the Wicked Folders plugin. Thank you for patching all of those AJAX endpoints, and addressing each of those reported bugs.

A special thank you goes out to iThemes. The team announced this week that the iThemes Security and iThemes Security Pro plugins are now powered by Patchstack’s Vulnerability Intelligence. This collaboration means more sites are being protected and is a win for everyone except the botnets.

I will be back next week with more security tips, tricks, opinions and news on the Patchstack Weekly Security Update!

The latest in Patchstack Weekly

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.