Welcome to the Patchstack Weekly Security Update, Episode 44! This update is for week 42 of 2022.
This week I will talk with you about an unsettling security risk caused when a malicious actor preys upon a site owner when they are experiencing an emergency. I will share what precautions you can take today in case of an emergency tomorrow or thereafter.
In this week's vulnerability roundup, I will share details about nine security bugs that were all patched by their respective developers. Three of these bugs are in premium plugins and six in total are the same vulnerability classification: PHP Object injection.
Who's your emergency website contact?
This week's knowledge share is a reminder for site owners who are seeking help, to never share passwords with unknown third parties.
You may say this as obvious advice, but I have seen these requests before in online forums. Commonly the scenario involves a site owner experiencing a serious problem with their website - something that is an emergency - and then a not-so-good Samaritan comes along offering help but asking for full access to the website or hosting. This may result in a worse problem than the original emergency they claimed they were there to fix.
Never share your passwords
If you need to grant access to a third party to help work on your website(s) then trust is the first priority. Do you know this person well enough to trust they will not take advantage of you during a difficult time? If you grant an untrustworthy person too much access, they could steal data off of your site, install a backdoor, or lock you out of everything.
Don't let emotions like fear or anxiety caused by the broken website cloud your better judgment. A great way to avoid this is to take time before an emergency ever happens to know who you will call to help. Make a plan, and have a name and contact written down for who to contact for what sort of emergency.
This could be your website's developer, it could be your web hosting provider, it could even be the agency you work with, or a consulting firm that offers emergency services. The important thing is you know who to call for help well before you need to call them.
Have an expert on hand
Knowing who to call for what type of emergency is a best practice for all emergency planning. Every modern country has an emergency service line for paramedics, safety, fire, or disaster help.
But you should not call public emergency services if your website has been hacked or is offline. (really, please don't) Instead, you need to find experts who can help you if an emergency comes up.
There are many services your site may need help with in an emergency, here are a few likely culprits:
- Broken plugin
- Broken theme
- … and more
How do you know you have the right expert on hand?
The best experts prevent, as well as correct
The best part of looking for an expert in case of an emergency before you are experiencing an emergency is the best expert will offer preventative services not just prey on people already having a bad day. They want to stop the bad day from happening in the first place, but they'll also be there to help if an emergency comes up.
Who better to clean up your hacked site, than the provider that helps you never to be hacked in the first place?
Who better to address a problem in your site's performance, than those who can identify a slow page before you knew about it?
Who better to help you with a broken plugin or theme, than someone who could advise you about an issue in code quality before it takes down your entire website?
Who better to address accessibility problems, then the accessibility experts who know how to look from the perspective of those with needs, and perhaps save your website from losing sales if your site's color scheme makes it completely unreadable for some visitors?
I think you get the idea. So, remember, seek out experts before you need them. They can help in an emergency but even better they may be able to help you avoid the emergency in the first place.
The AWP Classifieds or "another-wordpress-classifieds" plugin's developer released an important security update for their plugin recently. This important security update fixes an unauthenticated SQL injection security bug and it is strongly recommended you make sure your sites receive this patch ASAP.
Users of the premium plugin ALD or Aliexpress Dropshipping and Fulfillment for WooCommerce with the slug "woocommerce-alidropship" should make sure they have received the most recent update to this premium plugin to address a security issue related to sensitive data being leaked by the plugin. Since this is a premium plugin, you may need to manually confirm the update is working as expected as it uses different mechanisms than plugins found in WordPress.org's plugin repository.
The developer for another premium plugin, Automatic User Roles Switcher with the slug name "automatic-user-roles-switcher" patched a security bug by adding authorization and CSRF checks in their code. We recommend double checking this patch was applied on your website because again, this is a premium plugin. Failure to apply this most recent patch could lead to a low privilege user (including subscriber accounts) escalating their role to become an administrator on the website.
Finally there are six plugins that patched PHP Object injection security bugs recently. I have talked about PHP Object Injection in previous weekly knowledge shares. If you would like to learn more you can go back to understand the unique risks this security bug may pose. But, in the meantime you may want to make sure you have updated the following plugins:
- customizer-export-import - PHP Object Injection
- ocean-extra - PHP Object Injection
- smart-slider-3 - PHP Object Injection
- easy-wp-smtp - PHP Object Injection
- capability-manager-enhanced - PHP Object Injection
- capability-pro premium - PHP Object Injection
Luckily it appears most, if not all of these PHP object injection security bugs would require authentication to perform the attack. This further reduces the risk, but again, you might as well update when you can put aside the time.
Thanks and appreciation
This week's thank you goes out to all of the developers who released security bug patches for their users. There were a lot of bugs patched so here is the list:
- Automatic User Roles Switcher
- ALD – Aliexpress Dropshipping and Fulfillment for WooCommerce
- AWP Classifieds plugin
- Customizer Export/Import
- Easy WP SMTP
- Ocean Extra
- PublishPress Capabilities
- Smart Slider 3
Kudos to each developer for securing their code and securing their user's websites.
This week a special thank you to the members of the Patchstack Alliance for finding and reporting tons of security bugs in open source components in the last month Great job, keep up the good work.
I will be back next week with more security tips, tricks, opinions, and news on the Patchstack Weekly Security Update!