Patchstack Weekly #68: Ending On a High Note

Published 8 May 2023
Robert Rowley
Author at Patchstack
Table of Contents

Welcome to the Patchstack Weekly Security Update, Episode 68! This update is for week 18 of 2023 and this will be the final Patchstack weekly that I will host.

It has been fun the last year and a half but all things come to an end and it is important to always end on a high note.

Ending on a high note is also the topic of this week’s final knowledge share because open-source projects, as well as WordPress websites, should not go quietly into the night! Instead, they should plan for and communicate when a site or project has been sunsetted.

I will then cover WordPress plugins and themes with recently released public security bugs that received no patch, these plugins and themes have likely been abandoned by their developers learn more in this week’s final vulnerability roundup.

Weekly Knowledge

Ends are inevitable, so it’s good to have a plan in place for the inevitable and make it the best it can be. But what does this have to do with security?

Well, consider a public-facing WordPress website. When it is well-maintained and regularly updated, everything is great. But, maybe other priorities have come up for the business, and online sales or content creation slowed to a crawl. Eventually, no one is around to perform regular maintenance and updates to the software come to an end… but the site still remains online.

A corporeal image of what it once was, with a years-old copyright date in the footer but still a functional website in many ways. This ghostly website serves no customers but receives regular visits from bots and exploit attempts. Eventually, leading to an un-noticed compromise. The site gets resurrected by hackers and is used for evil purposes, attacking more websites, participating in denial of service attacks, being used as a proxy for illegal transactions, or worse… ultimately, a tragedy caused by atrophy and neglect.

Had the site owners acknowledged the end of their website and taken it offline sooner, then this compromise could have been avoided. The site could also have even been replaced with a static website making it more resilient to attack until more time could be committed by the owners. Both options would be a better ending than dealing with a compromise.

Ending on a high note applies to the software running the sites too. Open-source projects, especially WordPress plugins/themes really would benefit from announcing their end of life or end of support. Many mature open-source projects already do this and have a clear timeline communicated for how long users can expect continued support.

Not all open-source projects communicate their end though, perhaps it the developers feel uncomfortable talking about the end of the project or perhaps they believe their software should live on forever! Either way, this is what leads to open-source software repositories ending up looking more like a graveyard than a bazaar. With users taking on the burden of searching through the galleries of projects, having to inspect closely if a project is actively supported or has become a zombie, available for download but actually is a hazard for your website.

If more small open-source projects communicated their end-of-support dates, this would benefit the users and developers as well.

Users will trust developers who clearly say “This project is still actively supported” and when that is no longer true, users will appreciate the notification to find a new solution and not need to find out after a major incident like a hacked site happens.

It may sound counterintuitive but developers benefit from announcing their project’s end-of-support date as well. The end-of-support deadline serves them two purposes, encouraging them to continue to provide support, features, and code updates before the time is up. And like old-school arcade machines, allows them to decide if they wish to continue or not. When that end of support date comes, the developer can always add more time and continue the projects, or choose to throw in the towel and find something better to do with their time.

Vulnerability roundup

In this final vulnerability roundup, I will share with you a list of 8 plugins and 3 themes that have security bugs publicly reported in them, but their developers did not provide a patch. Many of these plugins appear to have been silently abandoned by their developers but still remained available for public download in their respective repositories.

glaze-blog-lite – Cross Site Scripting

Last updated 11 months ago.

fascinate theme – Cross Site Scripting

Last updated 11 months ago.

cream-blog theme – Cross Site Scripting

Last updated 11 months ago.

mocho-blog theme – Cross Site Scripting

Last updated 2 years ago.

forms-ada-form-builder – Cross Site Scripting

Last updated 2 years ago.

avirato-calendar – SQL Injection

Last updated 2 years ago.

video-list-manager – SQL Injection

Last updated 3 years ago.

advanced-youtube-channel-pagination – Cross Site Scripting

Last updated 4 years ago.

advanced-category-template – Cross Site Scripting

Last updated 8 years ago.

updraft – Cross Site Scripting

Last updated 12 years ago.

member-database – Cross Site Scripting

Last updated 12 years ago.

Thanks and appreciation

This final thanks and appreciation goes out to Patchstack – thank you for the opportunity to share the good word about information security to the WordPress ecosystem and beyond these patch 68 episodes.

And a special thank you to all of the listeners out there who tuned in either via the podcast or found these posts via social media or Google searches. I hope you learned something from what I had to share the past year and a half.

Sincerely, thank you all.

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.