Welcome to the Patchstack Weekly Update! It is November 4th, 2021.
This is the first of a weekly series where you can get caught up on recent events relevant to open source security, with an initial focus on WordPress security.
This series is brought to you by Patchstack and I am your host Robert, you can find me on WordPress.org and in the WordPress Slack under the moniker “rawrly“. I look forward to helping keep you regularly up to date on open source security issues here at the Patchstack weekly Update.
Last month, the Patchstack database had a total of 72 new vulnerabilities in WordPress components (such as themes or plugins) added to it, 49 of these reports were reported by Patchstack Alliance members!
Of those 72 vulnerabilities, the following bugs required no authentication to perform the attack. Unauthenticated vulnerabilities carry a much higher risk than a normal vulnerability, so sites running these plugins needed to have been patched yesterday.
Here is the list:
- Pie Register – Attackers can log in as any user, patched in 126.96.36.199
- Asgaros Forum – SQL injection, patched in 1.15.13
- Optin Monster – Lack of authorization on REST API endpoints, patched in 2.6.5
- Job Search – Unauthenticated options table manipulation, patched in 1.8.2. This is a premium plugin, so you may need to verify the patch is getting applied manually.
- The CartPress – Attackers can create arbitrary users. No patch is available, so you may need to write a firewall rule to block this attack or disable the plugin.
The developers have done their part to secure their code, now it is up to the site owners to take action now, please apply those patches!
If you would like more up-to-the-minute notifications about these issues, please follow @hackuu_ on Twitter.
This week, the Patchstack Security plugin is now available in the WordPress Dot Org Plugin Repository. WordPress site owners can install the Patchstack plugin, via their wp-admin dashboard or wp-cli, get regular updates, and access to all of the features that the free version of the Patchstack plugin offers.
Of course, for those inclined you can also upgrade to a paid account which will give you access to the Patchstack App, you will support the Patchstack community and get an eye in the sky, or security operation center for all of your WordPress websites.
Thanks go out to the Patchstack Alliance members, the WordPress dot org plugins team, a special thanks to every open-source developer who released a security patch in October, and thanks to you too, for taking the time to stay informed with this short security update.
I thank you for your time and hope these updates help you keep the web more secure. All I can ask of you is to kindly check in next week for more updates and tips, and if you like the content let others know.
Until next time, stay safe, stay secure.