Listen:

Patchstack Weekly #52: Will AI Change Web Security?

Published 21 December 2022
Updated 24 July 2023
Table of Contents

Welcome to the Patchstack Weekly Security Update, Episode 52! This update is for week 51 of 2022 and this is planned to be the last Patchstack Weekly of the year.

This week’s news is about some interactions I had with an AI chatbot called ChatGPT. I will share this chatbot’s amazing ability to write code, correct itself, to learn – and I will share some shortcomings too.

In this week’s vulnerability roundup I will share details about more unpatched security bugs, including one bug in WordPress core that is still unpatched to this day.

The AI WordPress code test

This week, I took some time toying around with ChatGPT an AI engine that generates text, including code. This astounding program is highly knowledgeable on a vast array of topics, including writing WordPress plugins … but it has a knack for being a little overconfident in its responses.

Today I will share with you some of the good, bad and ugly I saw when chatting with ChatGPT about WordPress development.

The good

ChatGPT puts the ‘awe’ in ‘awesome’. I asked it to write a basic WordPress plugin, explaining details using basic English and it replied with functional code (most of the time).

ChatGPT code response added an insecure nopriv ajax endpoint to call back to a function

There were limitations though. More often than not, I had to specifically ask for security functionality. But, ChatGPT handled it like a champion and knew exactly what to add when I asked for a nonce and authorization checks.

chatGPT code response adds nonce and authorization checks to the function

This experience was strangely natural. Natural in the sense that many WordPress plugins follow this path of functionality first, then security easily added in revisions.

The bad

Not all is perfect with ChatGPT though. As I mentioned before, the bot sometimes gives answers that sound confident, but are very confidently wrong.

When I asked ChatGPT to identify a common security vulnerability in some supplied code, it sometimes missed the mark by a long shot.

chatGPT detecting the wrong vulnerability

This was easily addressed by re-asking the question. Typically on the second attempt, ChatGPT got things right.

chatgpt getting the security bug correct with a great response

The catch here is that I knew the answer to the question I was asking. This should serve as a warning to users to not seek out new knowledge through AI, as the answers may be misleading. Instead use AI engines to enhance, augment or improve upon your existing knowledge and experience.

The ugly

As a bit of fun, I asked ChatGPT for some jokes about WordPress security.

chatgpt telling a WordPress security joke in the style of norm Macdonald
chatgpt telling a WordPress security joke in the style of tinA fey
chatgpt sharing 4 bad puns and 1 okay one.

While ChatGPT has some good advice, unfortunately, it falls flat as a comedian. Perhaps comedy is too complex of a task to ask from an AI chatbot.

So, if you find yourself worried your job might be replaced by an AI chatbot (hint: it won’t), then maybe a career in stand-up may be a safe backup plan.

Vulnerability roundup

This week’s vulnerability roundup will be about many more unpatched security bugs. The biggest of which is an unpatched security bug affecting WordPress core which was published by Sonarsource a few months ago.

WordPress’s Unpatched SSRF Bug

Reviewing SonarSource’s write-up, here are a few key details:

The bug cannot easily lead to an exploited WordPress website. Attackers need to control the DNS server the web server is configured to use in order to exploit this bug.

In scenarios where a site is vulnerable, the impact is limited. This is after all an SSRF bug, which I’ve written about before in Patchstack Weekly #33, What is SSRF?. You may recall in that episode, SSRF could lead to internal servers being targeted. With this in mind, we should consider that if the attacker already has control over DNS servers, then things are already much worse than SSRF for the organization.

I would not be terribly worried about this specific security bug, but I will still look forward to the WordPress core security team pushing a patch.

Unpatched plugin security bugs

WordPress core was not the only project affected by unpatched security bugs this week. In total 14 unpatched security bugs were published in 9 unique plugins.

Of the above list, the most serious unpatched security bugs are the unauthenticated ones affecting wp-autosearch, cryptocurrency-widgets-pack, letsrecover-woocommerce, and sunshine-photo-cart.

I hope the developers of these plugins find the time to write and push a patch soon.

Thanks and appreciation

This week’s thanks goes out to the developers of ChatGPT, OpenAI and the whole team behind this project. It was amazing working with this tool.

A special thank you goes out to Sonarsource for finding and reporting the bug in WordPress core. Even though this went un-patched, I appreciate your efforts and understand why you published the details publicly after 5 years of it going unaddressed.

I will be back in 2023 with more security tips, tricks, opinions and news on the Patchstack Weekly Security Update!

The latest in Patchstack weekly

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu