Updated: 02.01.2022
Patchstack Weekly, Week 04: WordPress Vulnerabilities & Who Is Responsible?
Robert Rowley
from patchstack

Welcome back to the Patchstack Weekly security update! This update is for week 4 of 2022.

In this week’s session, I will share a few high-risk WordPress vulnerabilities that were patched this week and provide an update on details about the un-patched WordPress theme vulnerabilities that Patchstack continues to deal with.

During this week’s knowledge share I will identify the many players in open source security. These are the people in many different roles, that play a part in open source security beyond the developers and the end-users of their open-source projects.

Patchstack engages with people of varying roles, who have different responsibilities and risks when it comes to protecting open source projects.

Vulnerability news

Critical vulnerability in AdSanity plugin

The WordPress plugin Adsanity developers patched a critical vulnerability this week.

The patch addresses multiple security issues, the most severe of which prevents a low-privilege user from uploading arbitrary files to the website.

Users are recommended to update to the most recent release of Adsantiy as soon as possible.

More un-patched themes

Numerous WordPress themes are affected by a lack of CSRF protection, which could lead to the activation or deactivation of plugins installed on the website.

The themes affected by this lack of CSRF protection are the same themes with unpatched vulnerabilities we had to release earlier this month as well.

Patchstack encountered the same issue of non-responsiveness from the developer since reaching out to them in early December 2021.

WordPress vulnerabilities

Ignoring our security reports is what led us to have to release details of the unpatched vulnerabilities publicly, we do this so site owners using these components can take action to address this security issue themselves.

The reports of WordPress vulnerabilities are complex, with many different responsible parties involved. In an ideal world, where everyone knows their role and responsibilities, then vulnerability reports go smoothly (as most of Patchstack’s reports do).

Knowing everyone’s role and responsibilities is the topic I will go into during this week’s knowledge share.

Weekly knowledge share

Who is responsible?

Security is everyone’s responsibility. In this week’s knowledge share I will be introducing the many players involved with every security report Patchstack handles, and what their roles, risks, and responsibilities are.

Role: Developer

Risks: Reduced or Improved trust in their products. This really matters, if a developer ignores security bugs, their users will not trust that product, but if they are patching, even patching critical vulnerabilities (like the Adsanity plugin developers did this week) shows the users they can trust this developer to protect their users.

Responsibilities: The only one who can push the patch.

Role: Security Researcher

Risks: Wasting their time, imagine putting in hours of effort into identifying a high severity issue and having to wait a long time for a fix, or never seeing a fix get implemented.

Responsibility: Respectful disclosure process. Including sufficient information that the developer understands and can use to take action to patch their code, and a report free of blame or negativity.

Role: Hosting Provider

Risks: Reputation hits from both customers and block-lists if their hosted sites are regularly compromised.

Responsibilities: Secure infrastructure, and assist customers who get compromised.

WordPress vulnerabilities

Role: Website Owner

Risks: Reputation hits if a site is hacked. No one wants to visit sites full of SEO spammers, phishing scammers, or credit card skimmers.

A lot of hard work and effort can be ruined by one unlucky, unpatched vulnerability.

Responsibilities: Security “hygiene”, such as keeping website components up to date, using unique and secure passwords or 2FA for logins, etc.

Where does Patchstack fit into all of this?

Well, we are building the bridges of trust that will help improve security for everyone involved, what we like to call the Patchstack Alliance.

You likely already know Patchstack works with the security researchers, offering them a bug bounty and notoriety for reporting WordPress vulnerabilities in open source components through the Patchstack Red Team.

Patchstack then takes the vulnerability reports the red team provides, manually verify them, and only forwards the reports which are within the developer’s control to patch.

We include sufficient details needed for the developer to know how to verify the problem themselves, and can help point out what part of the code likely may need the patch.

Patchstack continues to help everyone else responsible for security as well, we have services that help the website owners and hosting providers as well.

With the information gathered from the Red Team, we provide web application firewall rules to protect websites that rely on open source code either at the site level (with the Patchstack App) or at the hosting level (with our hosting partnerships.)

wordpress vulnerabilities

This is the Patchstack Alliance, the bringing together of security researchers, developers, hosting providers, and site owners to help improve the security of open-source code.

If you are interested in joining this alliance, we would love to have you.

  • Hosting providers, we can help you protect your customer’s websites at scale.
  • Open Source Developers, we can help you write better code, we would even like to show you how to spot security vulnerabilities in open source code. Maybe you could contribute to the Patchstack Red Team with security bug reports some time.
  • Website owners, we have a free plugin that will notify you of insecure components on your websites and if you have multiple websites, or wish to support the Patchstack Alliance, we have the Patchstack App which for a small fee can automatically protect your websites from attacks and provides a slick security operations dashboard.
  • Security Researchers, we help with communicating their reports to the developers and even provide a bounty for the WordPress vulnerabilities found through our program which is funded through all of the support Patchstack gets from the paying users of our products.

Thanks and appreciation

This week’s thanks go out to the supporters of Patchstack’s work. Hosting providers partners who pay for access to our vulnerability intelligence feed like (Gridpane, Pagely, or Plesk), developers who have paid for security audits or a featured listing on the Red Team bug bounty program, Patchstack Red Team members who support us with their time finding and reporting WordPress vulnerabilities, as well as the ever-growing number of individual website owners and agencies who are paying for the Patchstack App.

These are all the people who are not only getting protection from attacks but are supporting an alliance that has already and continues to improve the security of many open source projects.

I will be back next week with more security tips, tricks, opinions, and news on the Patchstack Weekly security update!

Thank you.

Share This Article
Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.