Patchstack weekly is a weekly security update made by Patchstack Security Advocate Robert Rowley. Every week Robert highlights the mentionable WordPress vulnerabilities, helps us learn something new about security, and gives thanks and appreciation to those who helped make the web a safer place.
What to learn more about Robert? Read this: Meet Robert – Patchstacks’ Security Advocate
This episode is called Vulnerability News & Over-Communicating Security.
This update is for week 21 of 2022.
This week Robert talks more about communicating security. But, not too much, because this week he talks about over-communicating security, also known as alert fatigue.
He also talks about a few notable security bug fixes added to the Patchstack Database in this week’s vulnerability news.
This episode is called How To Communicate Security?
This update is for week 20 of 2022.
This week Robert talks about the importance of communication and how to communicate security when it comes to security issues.
Starting from developers needing to communicate security bugs being patched and ending with how Patchstack partners are experiencing some great successes by integrating Patchstack’s WordPress vulnerability intelligence API into their products. He tells you how and why in this week’s knowledge share.
He also announces the winners of the Patchstack Alliance’s WordPress bug hunt contest and gives a heads up about two unauthenticated SQL injection security bugs one patched, one not.
This episode is called Secure AJAX Endpoints & WordPress vulnerabilities.
This update is for week 19 of 2022.
Robert shares two WordPress plugins with security bugs that have no patch available.
One could lead to tricking logged-in users to run arbitrary code on websites, and the other could lead to unauthenticated SQL injection. And he also has a bit of breaking news to add.
In this week’s knowledge share, Robert talks about securing WordPress AJAX endpoints.
Why it is important to secure AJAX endpoints? How to spot which functions need more attention from secure code review, and how to do security testing with a tool I guarantee you probably already have installed.
This episode is called PHP Object Injection aka Insecure Deserialize.
This update is for week 18 of 2022.
This week Robert talks about an obscure vulnerability, something that is commonly overlooked and missed by developers, bug bounty hunters, and security researchers alike. PHP Object Injection, also known as Insecure Unserialize.
Also, you will find vulnerability news like always, since we have a handful of vulnerabilities he would like to share with you. Including one report of, you guessed it – PHP Object Injection.
This episode is called Egoless Programming And Security Bugs.
This update is for week 17 of 2022.
This week Robert shares a handful of vulnerabilities. Including 3 unauthenticated SQL injection security bugs that were patched, and 3 security bugs that could lead to files being uploaded to websites running these affected plugins.
In this week’s weekly knowledge share, Robert talks about Egoless programming. A concept, introduced over 50 years ago, and an extremely helpful topic to cover when it comes to handling security bug reports.
This episode is called WordPress Vulnerabilities And Secure Code Review.
This update is for week 16 of 2022 and is about the power of transparency in open source, and how anyone can utilize this transparency to learn secure code review.
This week Robert talks about the power of transparency in open source as it pertains to security, and how anyone, including you, can utilize this transparency to learn secure code review.
There are a lot of vulnerabilities to discuss this week as well. With some versions of Elementor being affected by an authenticated high-risk vulnerability, a development/design firm that patched many of their projects, and 9 unauthenticated SQL injection security bugs (5 with patches, and 4 without) so let’s talk vulns.
This episode is called WordPress Security History.
This update is for week 15 of 2022 and is about WordPress security history.
This week is a special episode. There were not many critical vulnerabilities to cover this week. So Robert skips the vulnerability news and shares with you, a lesson about WordPress security history over the last 18 years. He hopes that by knowing this history, we can learn some lessons along the way.
Of course, there were some interesting vulnerabilities this week. If you would like to check them out, please go to the Patchstack Database.
This episode is called Five Steps To A Secure WordPress From Scratch.
This update is for week 14 of 2022 and I will talk about the first 5 steps to a secure WordPress.
This week has a lot of vulnerability news to cover, and Robert shares it as a 3-2-1 punch of 3 plugins that received no patch for security bugs, 2 premium plugins that patch critical security bugs, and 1 public exploit already being shared for a Local File Inclusion vulnerability.
In this week’s knowledge share, Robert talks about the first 5 steps of WordPress security. These steps are not the only steps you should take for security, they are the steps you should be taking when you are first setting up a WordPress website from scratch, to ensure it is secure from day 1. He also adds a bonus step for bare basic security maintenance.
This episode is called New Set Of WP-CLI Security Commands.
This update is for week 13 of 2022.
This week, Robert talks about two high-risk vulnerabilities in two WordPress plugins with one big difference: one was patched, one was not.
In this week’s knowledge share he shares some new WP-CLI Security commands that were just added. Hopefully, you’ve heard of WP-CLI, if not, then you are in for a nice surprise!
This episode is called Secure WordPress File Uploads.
This update is for week 12 of 2022 and this week Robert talks about WordPress vulnerabilities and WordPress file uploads.
This week in WordPress-related vulnerabilities – 3 plugins that have each been patched due to high-risk security bugs found in their code.
He also provides an update on the insecure Freemius library situation and shares some possible expectations for what will happen in the next few weeks.
He also talks about defensive coding strategies for a common security bug in this week’s knowledge share. A serious security bug we saw a lot of in WordPress themes in 2021 according to our whitepaper: arbitrary file upload.
This episode is called State of WordPress Security 2021.
There is some big news this week. Patchstack released the State of WordPress Security Whitepaper for 2021 on March 9th.
Robert gives a short summary of some high points in this week’s knowledge share, but if you would like to read the whole thing you can view it on patchstack.com for free, no email or registration is required.
Before I talk about WordPress security from 2021 … I need to tell you about this week’s vulnerability news, which includes a WordPress core security release (5.9.2) and five WordPress plugins that patched high-risk security bugs in them in the last week. Emphasis on high risk too, they require no authentication for an attack to be successful.
This episode is called Influx of New Vulnerabilities & Freemius Library.
This week Robert covered a few high-risk vulnerabilities found in WordPress components, gave an update on the insecure old Freemius library situation, and discussed last month’s additions to the Patchstack database.
This episode is called Vulnerability News & Insecure Libraries.
Week 12 had been a heavy news week for the world, and open-source, specifically WordPress security concerns were no exception.
There were 5 plugins that released patches for serious vulnerabilities, as well as over 800 plugins that Patchstack identified as including insecure libraries used in their codebase.
Patchstack also set up a hub for businesses and security experts who are looking to help Ukrainian NGOs during this troubling time. If you would like to learn more, please check out UACyberHelp.com
In this week’s knowledge share, Robert talks about insecure libraries. This specific library is being used by hundreds of WordPress plugins, what the developers can do about it, and what site owners can do to check if they are affected.
This episode is called Vulnerabilities & Vulnerability Risks.
This week’s vulnerability news had a lot to cover. One WordPress plugin had a vulnerability so severe the WP.org team initiated an auto-update for all installations. Another WordPress plugin patched 7 security bugs over 2 releases, and WordPress core had a vulnerability disclosed publicly before they could release a patch.
With so much news to cover about vulnerabilities, it was a good week to discuss vulnerability severity and how all vulnerabilities are not equal. In that week’s knowledge share Robert talks about what makes some vulnerabilities more or less severe than others, and how you can use this knowledge to prioritize patching time.
This episode is called Preparing for SQL Injection.
Robert talks about two high severity vulnerabilities that were patched by the developers of WP Spell Check and Revolut Gateway for WooCommerce. Both of these plugins patched unauthenticated SQL injection vulnerabilities, so that is also the topic of that week’s knowledge share.
This episode is called Open Source & Vulnerability Disclosure Policy.
This week Robert shares some of the core principles of open-source software development and how security researchers participate in them, as well as explains why open source projects should always have a vulnerability disclosure policy and what makes a good vulnerability disclosure policy.
This episode is called WordPress Vulnerabilities & Who Is Responsible?
In this week’s session, Robert shares a few high-risk WordPress vulnerabilities that were patched that week and provides an update on details about the un-patched WordPress theme vulnerabilities that Patchstack continues to deal with.
During that week’s knowledge share he identifies the many players in open source security. Patchstack engages with people of varying roles, who have different responsibilities and risks when it comes to protecting open source projects.
This episode is called WordPress vulnerabilities & Cross-Site Request Forgery.
Within this session, Robert informs you of 6 popular open-source WordPress components that have patched various vulnerabilities in their code, from information disclosure to cross-site scripting and cross-site request forgery.
In this week’s knowledge share, he discusses cross-site request forgery vulnerabilities, what their risks are, and shares an easy fix for it using nonces.
In this week’s session, Robert covers a WordPress plugin that patched a critical authenticated remote code execution bug.
As well as big disclosure by the Patchstack Alliance (formerly Red Team), which identifies dozens of themes that shared the same vulnerable code between them and there is no patch available.
Finally, he talks about an open-source developer who protested against the abuse of their time by large companies who use their projects at no cost.
Giving back to open source projects will be the topic of this week’s knowledge share. I discuss the importance of supporting open source projects and how to get started.
This was the first Patchstack update for 2022, Happy New Year and let’s get into the security news and talk about factors of authentication.
This week Robert gives a quick roundup detailing the number of vulnerabilities added to the Patchstack database last month and gives an update on the backlog of unpatched vulnerabilities we are working on addressing.
Then he covers the topic of secrets as it pertains to authentication, and how you can understand some granular points of what makes something secret how to secure your login pages with more than just a password.
This week marks the final week of 2021, and with the year coming to a close it is a great time to reflect on the past, present, and future. So that is the format of this week’s update.
Starting with the past, Robert takes time at the end of each year to think about all that has changed in his life since the last year. He recommends you try this as well, it only takes a few minutes and the only recommendation he has is to start with the positive.
Think back to successful projects that have come to completion, new skills learned, perhaps recall any pivots that you made to change the direction of your life or company, and goals you reached. You’re allowed to surprise yourself with what you have accomplished.
Feel free to pause now and take a minute to reflect on at least one good thing from 2021.
But that is enough of the past, let’s move on to the news of the present! I hope you thought of something positive because this week’s vulnerability news is for a critical plugin vulnerability in a WordPress plugin with, get this: an unauthenticated arbitrary option table update vulnerability in it.
It looks like the vulnerabilities of the past few weeks just keep on repeating themselves, so let’s get to the vulnerability news.
This week’s news may sound like deja-vu, as he covers more of the same topics as last week. Log4j is still a leading security concern, and the project’s developers have released yet another security update, this time to address a Denial of Service concern.
He also once again discusses WordPress plugins with options table update vulnerabilities reported in them … the difference this time is, there is no patch.
In this week’s knowledge share, Robert compares the log4j project’s quick security response, to that “not to be named for your protection” WordPress plugin that has an options update insecurity that has not yet been properly patched.
This, lack of response, is an unfortunate reality security researchers sometimes face. I will share with you the inside knowledge on what happens when WordPress plugin or theme developers choose to ignore security reports.
It is mid-December, and we are still waiting to see the total impact of a vulnerability reported in the open-source component: log4j. This is a library used in a large number of java applications and you will get the details later during this week’s knowledge share.
In WordPress security news this week, there are a few plugins that have serious vulnerabilities reported in them, including unauthenticated attacks that may affect tens of thousands of websites. So, let’s get to that right away….
Welcome back to the Patchstack Weekly security update, this update is for December 9th, 2021. Robert talks about the Gravatar breach, web history, and vulnerabilities from this week.
In this week’s session, we have two high-risk vulnerabilities to report in WordPress plugins and he will talk about the Gravatar email leaks, one-way encryption, and how the web experience has changed over the years.
Robert will also give recognition to the technical pioneers that brought us Web 2.0, and acknowledge those who are currently looking forward, the yet-to-be-named pioneers who are about to build what will be known as Web3.