Welcome to the Patchstack Weekly Security Update, Episode 62! This update is for week 11 of 2023.
In this week’s knowledge share, I will be sharing a review of Patchstack’s annual ‘State of WordPress Security’ report. This report was just released and is jam-packed with useful insights from the front lines of WordPress security.
I will then cover 3 vulnerabilities of interest in this week’s vulnerability roundup. One of these three contained a mystery I am still uncertain about.
2022 WordPress security highlights
The Patchstack team has been hard at work the last few weeks with the 2022 State of WordPress Security report. After a lot of collecting, reviewing, commenting, re-writing, collaborating, and designing, we have finally released the 2022 State of WordPress security paper.
In this week’s knowledge share, I will highlight some key facts from this paper.
Plugins lead the way
WordPress plugins still account for the lion’s share of patched security bugs in the WordPress ecosystem. This of course makes sense, as they also account for the vast majority of lines of code in the ecosystem.
The good news is the WordPress plugin ecosystem is well supported by their respective developers. The majority of developers Patchstack worked with regarding a security bug, had patches made available in short order. In one case I handled last year, the patch was made available in just a few hours!
2022 was the biggest year in security bug patches
The number of bugs reported, patched and/or addressed in the WordPress ecosystem tripled in 2022 compared to 2021.
This trend is showing the power of collaboration between security researchers and open-source software developers. This cooperation led to thousands of security bugs being patched in the WordPress ecosystem – in other words, this is how vulnerabilities get removed.
Two WordPress core bugs were left unpatched
There were two security bugs in WordPress core (one is in Gutenberg) that were publicly disclosed in 2022, but never received a patch.
Don’t worry though – while these bugs went unpatched they present a very low or no risk at all to an average website. This is due to the unlikely conditions needed to be met for exploitation, such as the requirement to break existing browser security models or exploitation and control of the DNS server a website relies on.
Hopefully, patches are merged into the WordPress core project for these bugs. But,there is no need for site owners to panic if they see them pop up in security reports.
The danger of unsupported plugins
Not all unpatched security bugs are acceptable risks though. We identified that 26% of critical severity security bugs in WordPress components went unpatched in 2022. This was due to the plugins that were unsupported or abandoned by their developers.
These plugins will remain active on WordPress websites they were installed on, which will happily display ‘no update available‘ notice in the admin dashboard. The site owners will therefore be in the dark about the risk that exists on their site, unless they have something like the Patchstack App installed to provide them with a warning.
Patchstack Alliance helping out
The Patchstack Alliance handled around 1,000 security bug reports in 2022. Some reports are still pending, but 661 of those resulted in a patch for the bug, and a more secure component (plugin or theme). Unfortunately, 87 components ended up being closed after we escalated the cases to the WordPress plugin repository – these projects have likely been abandoned and are unsupported.
The Patchstack Alliance provided support for the teams and volunteers behind open-source repositories. By handling 80% of the security reports directly with the developers, we did not need to take any of the WordPress volunteers’ time. This means less work for the teams managing the respective repositories, so they can focus on other matters.
Looking ahead
We are looking forward to what 2023 brings. With the knowledge the Patchstack team has learned over the years, we have begun offering services to help with any security pain point we spot. From notifying site owners and agencies directly with the Patchstack App, through partnerships with hosting providers that use Patchstack’s vulnerability intelligence for pro-active security warnings, as well as helping security researchers prove their skills and sometimes earn bounties through the Patchstack Alliance.
In 2022 we also started the Patchstack mVDP, as a way to help developers handle security bug reports, currently free of charge.
If 2022 predicts anything, I would say 2023 will bring a more secure WordPress ecosystem.
Vulnerability roundup
n-media-woocommerce-checkout-fields – Unauthenticated File Upload
Users of the WooCommerce Checkout Field Manager plugin are encouraged to update immediately. The recent release patches a critical risk, an unauthenticated file upload security bug. There are only a few hundred websites running this plugin, however, it looks like only 16% of them have applied this security patch so far.
Watu Quiz – Reflected Cross Site Scripting
Developers of the watu quiz plugin released version 3.3.9.1 to address a Reflected Cross Site Scripting security bug. This update does not include a changelog entry highlighting its importance so it is important you make sure this update is applied.
Postmatic – PHP Object Injection
The developers for the postmatic plugin, also known as Replyable, patched a PHP Object Injection bug months ago. This bug’s information was just publicly released, however, it is a mystery to me why the plugin appears to be listed as closed since December due to an unknown security concern.
Hopefully, the developers of postmatic/replyable are able to get their plugin back in working order soon. In the meantime though, users may want to consider looking for an alternative plugin.
Thanks and appreciation
This week’s thanks goes out to the developers of WooCommerce Checkout Field Manager, Watu Quiz, and Postmatic plugins. I see your efforts to keep your customer sites secure.
This week’s special thank you goes out to the reporters and writers who have also reviewed and covered Patchstack’s 2022 State of WordPress security paper. Authors like Nyasha Green at MasterWP and Dan Knauss of iThemes provided their own summaries and insight of what they learned from this great review of the WordPress security landscape.
If you would like to read the 2022 State of WordPress security paper just go to patchstack.com and click on the banner at the top of the page.
I will be back next week with more security tips, tricks, opinions and news on the Patchstack Weekly Security Update!
