Welcome back to the Patchstack Weekly security update! This update is for week 10 of 2022 it is the beginning of March.
In this week I will cover a few high-risk vulnerabilities found in WordPress components, give an update on the insecure old Freemius library situation and discuss last month’s additions to the Patchstack database.
Vulnerability news
Limit Login Attempts (Spam Protection) <= 4.9.1 Unauthenticated SQLi
The Limit Login Attempts plugin, used from spam protection received multiple updates this week. Each update was focused on securing the code against an unauthenticated SQL injection vulnerability.
I see in the source code they have added some great authorization checks something I spoke about right here in the Patchstack Weekly in week 45 of 2021 and they have added a few sanitizing functions to clean up variables before adding them to the SQL query string.
This is not as ideal as preparing the SQL query string would be better, I spoke about it in the Patchstack Weekly a few weeks ago but it looks like it will work for their needs.
Narnoo Distributor plugin – Unauthenticated LFI resulting in RCE
The Narnoon Distributor plugin, unfortunately, received no patch for an unauthenticated Local File Inclusion vulnerability, which may also result in Remote Code Execution. It appears this plugin has been abandoned, as it has been over 2 years since the developer last added an update to the plugin’s codebase.
There are likely very, very few users with active installations of this plugin, however, if you are one of them you will need to find an alternative solution ASAP.
Influx of new vulnerabilities added to the Patchstack database
In February 2022 the Patchstack database added over 1,800 new vulnerability entries. This colossal number was due to the old Freemius library found in many WordPress components.
It is strongly recommended site owners have a plan in place to detect if their sites are utilizing any components with insecure versions of the Freemius library in them.
Knowledge is power, and receiving timely intelligence of security vulnerabilities from a trusted source is how you can address these vulnerabilities before they result in a site compromise.
The Patchstack App or free Patchstack plugin can be a way to easily get this knowledge directly in your WordPress admin dashboard.
Weekly knowledge about Freemius library
In this week’s knowledge share I will talk a little more about the Freemius library updates, and why having a trustworthy ally in the fight to defend your website against attacks. This is an important decision to make before you need it, because if you delay then it may be too late to protect sites from compromise.
WordPress plugin developers are rushing to push patches to address the old, insecure Freemius library in their code, this shows they are aware of the issue and are taking action.
The WP.org plugins team has taken the lead on notifying the developers of affected plugins, informing them they need to update the Freemius plugin library in their codebases.
We can see the early signs of success too, there has been a steady uptick in affected plugins getting patches in the last week.
Patchstack has been paying close attention
Patchstack has been paying close attention to the affected plugins, and we are regularly updating our database entries to include data on which version received the patch. This database powers our vulnerability intelligence, used by hosting partners and the Patchstack App.
WordPress site owners can benefit from this intelligence by simply installing the free Patchstack plugin on their websites and regularly checking if they are running insecure components.
If you are relying on automatic updates of your WordPress components, that may not be enough. As we saw this week with the Narnoon Distributor plugin.
Sometimes developers abandon their projects and provide no updates. We expect a number of plugins in need of updating their old, insecure, Freemius library may be abandoned projects and those projects will not receive a patch.
These insecure plugins will likely be removed from the WP.org plugin repository to protect users from downloading and installing them on websites, but they will continue to run and be insecure on sites that already have the insecure plugins installed. No updates will be made available, and those sites will continue to run the insecure code.
This is why, having a security ally on your side, someone who is regularly monitoring open-source components for security issues and maintains a database of intelligence on those security issues is a valuable resource to have.
Patchstack would like to be your ally and help you defend your sites from attacks, our focus is on stopping the attackers not charging you for clean-ups after the fact, and we are just a plugin installation away for your websites to benefit from our efforts.
Thanks and appreciation
This week’s thanks go out to the developers of the Limit Login Attempts plugin for working hard on multiple patches to address that SQL injection vulnerability reported in their plugin.
I also can not thank the WP.org plugin team enough. They have taken the initiative in notifying hundreds of developers who have plugins affected by the insecurities in older Freemius library versions and given them the information needed to take action to secure their code.
I also know they will be putting in a lot of time doing follow-ups, and in some cases removing plugins if they have been abandoned.
I will be back next week with more security tips, tricks, opinions, and news on the Patchstack Weekly security update!