Welcome back to the Patchstack Weekly security update! This update is for week 9 of 2022 and focuses on insecure libraries.
This week has been a heavy news week for the world, and open-source, specifically WordPress security concerns were no exception.
There are 5 plugins that have released patches for serious vulnerabilities this week, as well as over 800 plugins that Patchstack recently identified as including insecure libraries used in their codebase. So, I will keep a lot of this week’s updates fairly brief.
A quick note on the more serious news which is still unfolding in Ukraine. Patchstack has set up a hub for businesses and security experts who are looking to help Ukrainian NGOs during this troubling time. If you would like to learn more, please check out UACyberHelp.com
In this week’s knowledge share, I will talk about insecure libraries. This specific library is being used by hundreds of WordPress plugins, what the developers can do about it, and what site owners can do to check if they are affected.
In this week’s vulnerability news, 5 WordPress plugins patched high-risk vulnerabilities. 3 of which were SQL injection vulnerabilities, 1 was a remote code injection, and the final one is an arbitrary file deletion vulnerability.
Starting with the 3 SQL injection vulnerabilities: Users of the 5 Stars Rating or Commons Booking or Event Manager and Ticket Selling for WooCommerce plugins should update as soon as possible to protect their sites against it.
- Event Manager and Tickets Selling Plugin for WooCommerce – SQL Injection <= 3.5.7
- CommonsBooking – Unauthenticated SQL Injection <= 2.6.7
- 5 Stars Rating Funnel – Unauthenticated SQL Injection <= 1.2.49
Additionally, users of the Advanced Contact Form 7 DB plugin should make sure their sites have this week’s patch applied. This patch addresses an arbitrary file deletion vulnerability, something you certainly do not want to leave your sites exposed to.
Finally, users of the WPCargo Track and Trace plugin should update their plugin to protect their sites against an unauthenticated remote code execution vulnerability on their sites. It appears the developer updated a library to address this according to the plugin’s changelogs.
Talking about libraries, Patchstack has become aware that numerous WordPress plugins are utilizing an out-of-date version of the Freemius library which has insecurities in it.
The developers of the Freemius library have patched their code to address a number of security issues, however, not all of the developers using this library have updated the version they are including in their projects.
Developers need to check if their projects are using the Freemius library and if they are making sure it is updated to the most recent release to secure their code.
The difficulty of patch distribution
The importance of patching insecure components is well known to WordPress site owners. That is why site owners who take security seriously choose to run the Patchstack plugin on their WordPress websites. They can even set it up to send notifications if any components have known flaws in their websites.
Security done right makes it easy to be secure. However, things are a bit harder for developers. It isn’t so easy to regularly monitor the libraries for security bugs as well as your own project’s bugs.
Developers commonly use libraries in their code to add functionality. In the case of the Freemius library, developers have added the library for a host of WordPress-specific functionality.
A library included in a project is made of PHP code, and the code will have bugs; some of those bugs will be security bugs.
In the case of Freemius library, the developer has addressed a number of security bugs regularly and swiftly after becoming aware. This sounds like great news, but this is not the end of the story.
Developers still need to update the library in their code as well. If the projects including this library do not update their copies of the library to a secure version, then there is nothing the Freemius developer can do to force this.
I guess they could shout very loudly about how insecure their code is … which uhm might send the wrong message and is probably the worst idea for public relations ever.
It would be better to simply inform the developers who use this library of the important security update (such as in the changelogs and on their blog), and that is what appears the Freemius plugin developer had done. The problem is, not all developers have gotten the message, which brings us to today.
Investigating the Freemius plugin vulnerabilities
In the last week, while investigating the Freemius plugin vulnerabilities. We found many plugin developers have updated, but many more are still running insecure versions of this library.
Patchstack team is going to do some work to reach out to all of these open-source projects affected by this issue and inform their developer of the importance of updating the Freemius library in their projects.
Patchstack will also be updating the database to add entries for hundreds of insecure WordPress components and their affected versions once we start seeing some projects getting updates. You can expect to see a lot more vulnerabilities not only reported but patched in open-source components in the next few months.
I will strongly recommend enabling automated updates if you can safely, if you can not then setting up automated vulnerability monitoring with the Patchstack plugin or subscribing to our vulnerability intelligence feed will save you a lot of time and effort staying up to date with the blizzard of security updates that will be coming soon.
Thanks and appreciation
This week’s thanks go out to the developers of the Contact Form 7 DB plugin, WPCargo Track, and Trace plugin, 5 Stars Rating Funnel plugin, Commons Booking plugin, Event Manager, and Ticket Selling for WooCommerce plugin. Thank you for your diligence in securing your code!
And a pre-emptive thank you to the many developers who use the Freemius library. I will be in touch soon!
Before I go I have a quick request: If you are or know of any Ukrainian NGOs who could use assistance with their IT or online security needs please check out UACyberHelp.com. Or if you are a cybersecurity specialist or business who would like to offer assistance to Ukrainian NGOs this time, please reach out on UACyberHelp.com as well.
If you would like to help via donations, the site also has a curated list of Ukrainian NGOs that anyone can donate to at this time of need.
I will be back next week with more security tips, tricks, opinions, and news on the Patchstack Weekly security update!