Welcome back to the Patchstack Weekly Security Update! This update is for week 25 of 2022.
This week's knowledge share will include some tips for WordPress site owners on what to look out for when choosing secure plugins.
I will also share vulnerability news, with one critical issue to discuss which may have already been patched, as well as highlighting the concerning trend of security bugs not receiving patches.
How can you be sure that the plugins you choose (or are already running) on your WordPress websites are safe to use, worthy of your trust, and have a mature attitude toward security?
These tips will help you answer those critical questions. They will also help you avoid the plugins that may be hiding security patches or plugins which may have been abandoned.
Developers for open source projects are giving their time to build a project that is likely available at no cost to the users.
An open-source plugin could be written in someone's spare time, or be someone's full-time job, and both are great.
What you want to avoid, is a project that has been abandoned.
Here are some places to look to see how active the developer(s) are in the project they released:
I talked about the importance of Communicating Security before, and included an example of what happens when developers hide security patches.
Spoiler: it means fewer people patch or it takes longer for them to apply the security patch. Which is not a good thing.
Vendors with a mature security practice communicate security issues clearly when they come up.
Most open-source and smaller projects can show they have a mature security practice by simply including security patch notes in the project's changelogs.
You can check the plugin's changelogs in the WordPress.org Repository easily by clicking on the "Development" tab.
If the plugin is available through another marketplace, such as Envato, you can still find a changelog, but it may be at the bottom of the plugin's description, or on the plugin's website or GitHub. Do a little digging, and bookmark the page when you find the project's changelog.
It will be worth it, so you can frequently check back for security issues.
A vulnerability disclosure policy is the peak of security maturity.
These policies outline how security researchers should communicate with the project if a security bug is found.
Projects that have a vulnerability disclosure policy receive security reports in private and have the resources to handle these reports.
This is extremely helpful for security researchers because it lets them know who (and how) to contact about a security issue. It also sets the expectation that the developer wants to hear about these reports, so they can take action to protect their end-users.
Without a vulnerability disclosure policy though, a lot could go wrong.
Researchers could just report the bug publicly, citing no public point of contact. If the researchers report the bug to the respective repository, the project could be removed until a patch is put in place. This harms both the websites that use the project and the project's trustworthiness too.
This week, the Ninja Forms developers patched a critical security bug that could have led to attackers being able to run methods for any Class or Object within a website's code base.
This is limited code execution, but still very dangerous.
The developers reached out to the WordPress.org plugins team volunteers and informed them of the high risk this security bug could pose. The volunteers are WordPress.org agreed the bug was high risk and warranted a forced update on all sites running insecure versions of Ninja Forms.
These forced updates are rare, but when a critical security bug that could execute code with a single unauthenticated request is found in a plugin on one of your websites, you'll be happy the process exists.
Most security bugs in WordPress components receive patches, but not all. When a developer abandons a project, then nobody is around to provide security patches.
This is unfortunately may be the case this week for the following WordPress plugins, which were closed (temporarily) until their plugin authors are able to review their code and apply security patches.
If you are using any of the following plugins on your website, you may want to disable or remove them - until you have time to find an alternative plugin, or until the developers provide a functional security patch.
This week's thanks goes out to the developers of the Ninja Forms plugin, thank you for pushing that security bug patch. And a special shout-out thank you to the WordPress.org volunteers, who reviewed and approved pushing the update for the over 1 million Ninja Forms plugin website owners out there. That certainly protected many websites from compromise this week.
I will be back next week with more security tips, tricks, opinions, and news on the Patchstack Weekly Security Update!