Welcome to the Patchstack Weekly Security Update, Episode 57! This update is for week 5 of 2023.
This week’s knowledge share will be the final new year’s resolution. In this final week of January 2023, I ask that you consider adding more security to your resume, services, business, and life.
This week’s vulnerability roundup will share details on three security bugs that were patched last month in a popular Learning plugin for WordPress.
Weekly knowledge
When I think about security, I do not think security is the binary secure vs. insecure. Instead, I see security as a practice that can be applied to many situations in work and life.
Security is defined as the state of safety or being free from danger. The practice of security though is boundless. With infinite contexts on what a danger could be, there is no end to security. But, within different contexts, only so much security matters.
The security of a wifi network has nothing to do with the security on your front door (unless you have a wifi smart lock, I guess).
But, think about your role. A systems administrator has a totally different set of security concerns than those of a developer, the same goes for agency owners, support representatives, or entrepreneurs.
Each perspective has it’s own security context, and while security-related tasks and responsibilities may vary, ultimately they are there to keep people safe from threats/risks.
Everyone should learn how to practice securely for their context. You may still choose to delegate security-related tasks to others, but you still need to know what the security context is.
Why do this? Because it is an opportunity to grow. For small organizations, you can offer more security services to your customers. For professionals, you will advance your career by showing your competency in security. If you practice security, you will become resilient to threats in your life and business.
This new years resolution weekly knowledge share is all about a few common WordPress and Open Source related roles that can add to or start their own security practices.
Developers
Train yourself in defensive coding techniques and the security concerns about your favorite development language or framework. Learn how to identify security bugs, how to patch them, and how to communicate security issues with others. Do this and you will increase your value in the workplace or get you more clients as a contractor.
Agencies
Do more for your clients to offer them a sense of safety. Show your customers how security best practices are followed (like brute force protection or software updates.) This may require educating some users or taking on more workload. But, with more workload comes more billable hours.
Hosting providers
Add more security features for your customers. Each new feature is worth public discussion, and shows you are improving not stagnating in the field
Site and business owners
By knowing more about the topic of security, you will not fall victim to fear-based or overconfident marketing copy like “next generation blockchain-AI-machine-learned security”. Instead, you will be well-informed about security topics and best practices making them second nature. You will know what security really is, and be confident in it is implemented correctly.
Security researchers
Security researchers embody a life committed to learning security concepts. I do mean life commitment, security is endless when you change perspectives or fields of study. I encourage you to continue your research and seek out knowledge. Find security concepts that overlap and introduce them to different communities, and make the world a more secure place than when you started.
Conclusion
Security is a big subject, which the more knowledge you have of it is beneficial to your life, work or business. If you are doing the security related work, you will have more value. Even if you are not doing the security related work, having security knowledge is how you know you are correctly protecting yourself, your organization, your website, or your front door (like, maybe wait on installing that fancy WIFI front door lock you got for Christmas. At least until you have an adequate understanding of the device and your home network’s security contexts.
In short, my new year’s resolution is me imploring you to learn more about security and its infinite perspectives.
Vulnerability roundup
This week’s vulnerability roundup is all about one plugin, and one release, which addresses three security bugs.
The popular LearnPress plugin with over 100,000 installations patched 3 critical severity security bugs that were reported in the project last month. The Patchstack Alliance reported these security bugs to the LearnPress team in early December. On December 20th, the LearnPress team released version 4.2.0 which addressed all reported security bugs. We then waited over a month before publishing the findings on January 24th.
Bleeping Computer picked up the story as well, and provides additional insight related to a delay in the patch making it to end-user websites. They highlight that 75% of LearnPress installations are still running vulnerable versions I just checked this number myself and see it is now 69% of LearnPress installations.
You can find out more about each of these three LearnPress security bugs in the Patchstack Database.
LearnPress – Unauthenticated SQL Injection
LearnPress – Unauthenticated Local File Inclusion
LearnPress – Authenticated (Contributor+) SQL Injection
We encourage site owners running LearnPress to update to the newest release as soon as possible.
Thanks and appreciation
This week’s thanks goes out to the developers at ThimPress the owners of LearnPress for writing the security patch quickly and working with the Alliance on multiple reports all at the same time. Great job, but now it is up to the website owners to update their plugin version.
A further thank you is extended to one of Patchstack’s newest partners, WPMU Dev. Their Defender Pro security plugin now integrates Patchstack’s vulnerability intelligence feed to help Defender Pro customers identify and patch insecure components installed on their websites.
I will be back next week with more security tips, tricks, opinions and news on the Patchstack Weekly Security Update!
