Welcome back to the Patchstack Weekly security update! This update is for week 23 of 2022.
It is the beginning of June, and WordCamp Europe is underway as I write this. WordCamps are the in-person community events for the WordPress community, and WordCamp Europe 2022 is the largest to be run in the last 2 years. This is a sign of the return of, and importance of community events.
So, on that note, this week's weekly knowledge share will be about community (and I will have a special announcement at the end.)
I will start with this week's vulnerability news first though, which will be about two vulnerabilities in WordPress plugins of which neither have a security patch available at this time.
This new plugin, just a few months old, unfortunately, has an unauthenticated arbitrary file upload security bug in its code base.
It appears this is the developer's only plugin in the WordPress.org repository, and the plugin has a small installation base of only a few hundred websites using it, so the overall impact is low.
However, the developer of HTML2WP may not have enough time to address this security bug right now, so the plugin has been temporarily (possibly permanently) removed from the repository. I do hope they can find the time to apply a patch soon.
Users of the Browser and Operating System finder plugin which benefited from its automatic browser and operating system detection (which is handy for designers, for cross-platform compatibility) should be cautious and consider replacing the plugin.
While the severity of this vulnerability is not critical, it is unlikely you wish to allow unauthenticated users to reset the plugin's settings with a single request, so you may wish to disable, find a replacement, or reach out to the developer and ask nicely if they have the time (or need the help) to apply a patch.
This week's knowledge share topic is community. Many people in the WordPress ecosystem are just now returning from WordCamp Europe, so I felt community is an apt topic to dig a little more into this week.
I will why people gather, what we gain, and what is needed for a community to thrive.
WordCamps are a great example of one aspect of WordPress communities, but there is also Slack, Forums, and Blogs that keep people in the WordPress ecosystem connected as a community.
Any time people come together to communicate and work toward a common goal, that is community. The internet really helps with building communication channels, and therefore communities.
Building communities is something inherent in being human as well. Either join an existing community or strive toward building new ones. When like-minded people, with a shared goal, come together they naturally create this thing we call community.
A healthy community starts with a goal of helping out others, at least at the start. There must be a reason people seek out the community, and offering to help others is where most good communities start.
Community comes from the interactions between the individual participants. Together, they begin identifying and fixing the problems which are related to that shared goal that caused them strife as individuals before.
It is in the act of being together, supporting one another, and sharing experiences and expertise. That creates a healthy and helpful community.
In turn, these helpful communities will attract more and more people. People who need support, people who want to give help, people who see the shared goal as a solution to a problem they have, and people who see that the community is worth their time and effort.
The shared goal is key when it comes to WordCamps or WordPress itself. The shared goal is the improvement of the WordPress project, as well as the people within it. It is one of the reasons Patchstack staff was at WordCamp Europe just this last week, we share the goal of improving the WordPress community.
Patchstack's goals are to help open-source developers with the security of their projects. We also bring experts together in the community via private communication channels, where we discuss security issues, and problems, and work toward a shared goal: a more secure open-source ecosystem.
Patchstack plans to do more though, we want to share some of these private security conversations with the public. We will be recording the conversations and hope to answer questions about common topics, that affect the community (be it security or otherwise).
We are extending an open invitation to anyone with the shared goal of a more secure open-source ecosystem to participate in a community effort to communicate their knowledge, give help, and hopefully work toward a shared goal of improving the security of open-source projects.
If you would like to join us in one of these conversations, please reach out.
Stay tuned to the Patchstack website, and social media (Facebook, Twitter, Linkedin) as we release a few special recordings between us and people in the community who want to improve open source security for all.
This week's thanks go out to the helpful members of the WordPress community. Volunteers, organizers, contributors, and businesses.
This community is large, and it wouldn't be as large without the help of the innumerable people, past and present, who have helped each other out working toward the shared goal of improving the WordPress community. Thank you all.
I will be back next week with more security tips, tricks, opinions, and news on the Patchstack Weekly security update!