Welcome back to the Patchstack Weekly security update! This update is for week 13 of 2022.
This week, I will talk about two high-risk vulnerabilities in two WordPress plugins with one big difference: One was patched, one was not.
In this week’s knowledge share I will share some new WP-CLI Security commands that were just added. I hope you’ve heard of WP-CLI, if not, then you are in for a nice surprise!
The Product Table for the WooCommerce plugin had an unauthenticated function call vulnerability patched this week.
I strongly suggest updating this plugin on your sites as soon as possible. This vulnerability is a high risk, as an arbitrary function means any PHP function could be running on affected websites.
The ad injection plugin is affected by two vulnerabilities, one a stored cross-site scripting, the other being more serious: Remote Code Execution.
The good news is, it appears these security bugs require high privileged accounts to exploit.
The bad news is, the plugin has not received a patch in 6 years and has been downloaded on average a dozen times a day. So, a lot of site owners are currently out of luck with no option to patch this potentially abandoned plugin at this time.
Last week I mentioned the safe SVG plugin/library, and I missed that there was a recent security patch in this library which could have led to a bypass of SVG file sanitization steps.
Looking at the changelog entry for this update also highlights the value of open-source software when it is done right. There were a dozen developers who contributed in some way to help the safe-SVG plugin with the 1.9.10 release.
These developers are likely using safe-SVG, in their projects, and are helping give back, fixing issues not just for themselves, but for everyone using the shared project.
In this week’s knowledge share, I would like to talk about the command-line tool, WP-CLI and a new set of WP-CLI security commands that were just added.
WP-CLI is a powerhouse tool for performing manual and automated tasks on your WordPress website. The only pre-requisite is, you need SSH access and the package installed, most major hosting providers such as Pagely or Cloudways have it pre-installed for you.
WP-CLI can do almost any administrative task on your website, but I want to talk with you today about some recently added security tools WP-CLI has available.
Just last week, during the Cloudfest Hackathon in Europa-Park Germany. One of the team’s projects was adding a handful of new security-specific commands to WP-CLI.
These new features were added by a great team of developers from multiple companies like Mint hosting, Cloudways, T-Systems online, Codeable, IONOS, and more.
You can find more details about WP-CLI secure commands, including credits, features, and more at HacktheWP.com
But I will list a few of the new WP-CLI secure features for you now:
One thing that these new security commands do not do is validate if a site is running a known insecure component. Lucky for us, there already is a WP-CLI feature for that.
Patchstack has its own WP-CLI command: wp-cli patchstack which you can use in conjunction with the Patchstack ThreatFeed API.
The Patchsatck WP-CLI add-on gets its data of which components are vulnerable from Patchstack’s meticulously managed database of WordPress vulnerabilities, or just the Patchstack database.
Vulnerabilities added to the Patchstack database are sourced from multiple public sources such as MITRE, as well as from the great team of security researchers who contribute bugs to the Patchstack Alliance (we also report the valid Patchstack Alliance security bugs to MITRE, to make sure this information is public.)
With both of these security-oriented features added to your WP-CLI installation, you can easily automate many of your WordPress administration security tasks.
This week’s thanks go out to the team behind WP-CLI-secure-commands, you did great at the CLOUDFEST Hackathon 2022. I look forward to seeing more.
A thank you is due for the Product Table for WooCommerce plugin developers. Thank you for releasing the patch that addressed this serious issue. Now it is up to the site owners to push the update to their websites.
Thanks go out again this week to the developers who contribute to the safe-svg plugin. There are too many to name, so check out the safe-svg changelogs yourself.
And a special thank you to everyone who supports Patchstack and our efforts. Customers, Alliance team members, and everyone who shared our white paper in a positive or negative light, and discussed it in the last few weeks. Together, we’re improving the world of open-source security.
I will be back next week with more security tips, tricks, opinions, and news on the Patchstack Weekly security update!