Welcome to the Patchstack Weekly Security Update, Episode 48! This update is for week 46 of 2022.
This week’s knowledge share is about the security concern caused when software has been abandoned or has reached its end of life (EOL). I will discuss what the risks of running unsupported software, and what you can do to confirm your WordPress website’s full tech stack is up to date.
On the topic of unsupported software, this week’s vulnerability roundup will focus on abandoned plugins in the WordPress.org repository. I will share details on a surprising number of WordPress components recently removed from the .org repository due to abandonment after security flaws went unaddressed.
Abandoned and EOL projects
This week’s knowledge share comes with a warning. I will be talking about an existential truth that we all must face in our lives, many people find it unsettling so I don’t blame you for turning this episode off now.
The existential fact I will be talking about, is that …
Everything has an end
Including the software you may rely on. One example is PHP announcing the end of support (EoS) and end of life (EoL) for the 7.4 branch in just a few weeks from now. This is done to inform users and developers about the need to upgrade, which must be done because it is extremely burdensome to maintain support for old software releases. While this end is more of an evolution, evolution is full of dead ends.
Luckily for PHP users, the solution is easy – update to a supported version, in this case: 8.0 or 8.1.
You may think I am going a little overboard with that warning I gave. But, I have observed behavior in the WordPress community that makes me believe some people do not face the fact that old software needs to be replaced or updated. They seem to want to hold onto the idea of “if it isn’t broken, then don’t update it.”
From website owners running abandoned plugins to web servers still configured to run on old unsupported versions of PHP, Apache, or Linux. Ignoring or making excuses for running out of date software ultimately just leaves your websites and servers unsupported against unprotected risks.
We need to face the facts. If your site or web server is running the same code as it was several years ago, maybe it’s time to rebuild some things. Even if it is running smoothly now, that’s the best time to look for a replacement. The alternative is waiting until something breaks and you will be left scrambling to fix a website that is offline or compromised.
So we can acknowledge that everything has an end. What can we do about it? How can we make this an easy process?
Have a plan
Planning is the key to making any process easy. Put together a checklist of what to do. In this case, a list of software your site is running, and how to check if it is running a currently supported version.
WordPress site owners already have a very handy Site Health check screen in the wp-admin dashboard. This screen does not provide you warnings about insecure versions of software (you will need a service like the Patchstack app for that.) It does provide you with a list of your server’s underlying software and the versions of each. Using a little manual work you can check your PHP version, Linux kernel, MySQL versions, and much more.
Once you know what version of software you are running, you just need to look up if it is still supported or needs any security patches.
Here are some handy links:
- PHP supported versions
- MySQL supported versions
- Linux kernel support versions
- Endoflife.date (for anything else)
The site health screen also includes a list of plugins, themes and their versions. Now, all you need to find out is if the component is abandoned or if that version has any known security issues. The Patchstack plugin will make identifying insecure WordPress plugins and themes automatic. You will also want to identify abandoned WordPress plugins too.
However you go about checking the software versions of your website and its technology stack is up to you. The important part is you write down how it is done so you have a plan on how to update or replace the software before it gets abandoned and becomes a problem.
Now that you have the process down, you just need to schedule periodic times to do the work. I would recommend this to be done as frequently as possible, which is why automation or using a third party like Patchstack will help you save a lot of time. But, if you must do this manually maybe set aside some time every month or at least once a quarter.
You do not want to find out you missed an update, too late.
This week’s vulnerability roundup is a list of plugins without security patches added to the Patchstack database in the last 7 days. You may be surprised how many there are …
- add-multiple-marker – Missing Access Control
- add-multiple-marker – CSRF
- activity-reactions-for-buddypress – Broken Access Control
- activity-reactions-for-buddypress – CSRF
- adrotate – CSRF
- postmagthemes-demo-import – Authenticated File Upload
- uji-countdown – Authenticated XSS
- add-comments – Authenticated XSS
- advanced-wp-columns – Authenticated XSS
- clerkio – Authentication Bypass and API key disclosure
- wp-pagebuilder – Authenticated XSS
- wpupper-share-buttons – Authenticated XSS
- quick-restaurant-reservations – CSRF
- sitepress-multilingual-cms – CSRF 1
- sitepress-multilingual-cms- CSRF 2
- asgaros-forum – CSRF
- car-rental – Authenticated XSS
- simple-video-embedder – Authenticated XSS
- cyklodev-wp-notify – Authenticated XSS
- testimonial-slider – CSRF
That is 20 unpatched security bugs in the last 7 days. 17 unique plugins with no security patches, and potentially no support. I do hope some of these developers were just delayed in providing a patch, and for their users’ sake, a patch can be released soon. But time will tell.
Thanks and appreciation
This week’s thanks goes out to the developers of every open-source project that clearly documents and shares the timeline of support for each release. Remember, everything has an end, including support for a project. Mature open-source projects understand this, and clearly communicate with their users how long they can continue to expect support. Thank you for doing that.
I will be back next week with more security tips, tricks, opinions, and news on the Patchstack Weekly Security Update!