Welcome back to the Patchstack Weekly Security Update! This update is for week 38 of 2022.
Week 37 had no weekly because I was attending and speaking at WordCamp US 2022 hosted in San Diego, California, USA.
This week I will share highlights from WordCamp US, as well as point out one vulnerability of concern during the Vulnerability Roundup. The bad news is it is critical, but the good news is the affected plugin likely has a limited install base.
WordCamp US 2022
I interacted with hundreds of people in the few days I was at the event. Some old faces I haven’t seen in years, and many more I had known online but were meeting for the first time in person. Sharing stories and insight face to face, or mask to mask while indoors, it was great to get back to in-person events.
I acknowledge Covid-19 and variants still linger as more or less of a concern for all of us who have been affected by it in the last two to three years. I saw no one give any grief about wearing a mask indoors but noticed they were quick to be removed once outside. As a precaution, I tested myself every day just to be certain I was not an asymptomatic carrier, and now almost a week after the event I am still testing negative.
Masking, vaccination, and testing are easy precautions to take for the safety of others. Just like ensuring your sites are not running known insecure components the Patchstack App keeps your site and others safe and secure.
Talking about the safety of others, my session on Making Security Simple for Plugin and Theme Developers was given to a packed room on Saturday. Participants in this security session learned how easy it is to get started with OWASP ZAP, how to hunt down security bugs with static code analysis, details on three security bug classifications (XSS, SQLi, Object Injection) as well as how to secure your API endpoints with allow-lists, authorization checks, and nonce verification.
Showing ZAP breakpoints seemed to be an eye-opening experience for a few of the developers in the audience. They may not have known how easy it can be to manipulate data within HTTP requests, and this helps drive home the secure development golden rule of “never trust user input”.
My security talk was only 1 out of 41 amazing sessions that took place during WordCamp US 2022. These talks are already slowly showing up on WordPress.tv, so I recommend keeping an eye out for more videos from WordCamp US 2022 being released in the upcoming weeks.
Thank you goes out to the organizers, who did a great job at providing the best event and always being available to help. I encountered no issues and had great support to give my presentation (including a stenographer who provided live closed captioning for my presentation; which I clarify: it was no easy task to transcribe the frenetically paced and highly technical talk that I gave that day.)
There were a few things outside of the organizer’s control though, such as the weather (it was uncommonly rainy and humid for San Diego), as well as some ADA accessibility issues that were the shortcoming of the hotel that claimed ADA compliance. Michelle Frechette shared her experience with these accessibility shortcomings. I recommend giving it a read, especially if you have no accessibility issues. Understanding the perspective of other people, especially those with unique needs is the key to being able to help them in the future. Michelle’s post pokes a little fun at her inconvenience, but more importantly, includes a list of everyone who helped her at WordCamp US. It is worthwhile to read her post to see who those helpers were alone.
One final note, it was great to meet with some of Patchstack’s partners at WordCamp US as well: Pagely, Cloudways, WebPros, and our most recent partner – Hostinger. As well as a few new partners soon to be announced.
The only vulnerability of note to share with you this week is in WPgateway, a premium plugin. WordFence researchers released a full write-up with details on their blog.
According to the WordFence report, the security bug is already being targeted by attackers. The report also includes sufficient details to provide protection and detection methods for users.
The risk this security bug poses is that unauthenticated requests could lead to an admin user being created on the WordPress website. There are no reports of a patch being made available, however, the plugin is premium and not publicly distributed. It appears to be a plugin used only for a premium WordPress hosting service, WPGateway. If you are a customer of WPGateway you should reach out to confirm a security patch or other mechanism has been put in place.
If you are not a user of WPGateway, then you can ignore the numerous articles already out there sharing big numbers of sites being actively attacked. Remember, if you don’t have the plugin installed, then these attacks mean nothing and pose no risk to your websites. I talked about this phenomenon a few weeks ago in Patchstack Weekly #32 Are Millions of WordPress Sites Under Attack?
Thanks and appreciation
This week’s thanks goes out to the Organizers, Sponsors, Speakers, and Attendees of WordCamp US 2022.
A special thank you goes out to the attendees who caught my session, thank you for your time and interest in secure development. Don’t forget, if you find a bug please report it to the Patchstack Alliance. There is no better way to prove you know secure development practice than finding, reporting, and possibly helping patch a security bug. Bonus, if you do this for an open source project, you are helping make the world, or at least that project, better for your efforts.
I will be back next week with more security tips, tricks, opinions and news on the Patchstack Weekly Security Update!