Patchstack Weekly, Week 52: Critical Plugin Vulnerability & Backlog of Unpatched Components

Published 30 December 2021
Updated 20 July 2023
Robert Rowley
Author at Patchstack
Table of Contents

Welcome back to the Patchstack Weekly security update! This update is for week 52 of 2021.

This week marks the final week of 2021, and with the year coming to a close it is a great time to reflect on the past, present, and future. So that is the format of this week’s update.

Starting with the past, I like to take time at the end of each year to think about all that has changed in my life since the last year. I would recommend you try this as well, it only takes a few minutes and the only recommendation I would have is to start with the positive.

Think back to successful projects that have come to completion, new skills learned, perhaps recall any pivots that you made to change the direction of your life or company, and goals you reached. You’re allowed to surprise yourself with what you have accomplished.

Feel free to pause now and take a minute to reflect on at least one good thing from 2021.

But that is enough of the past, let’s move on to the news of the present! I hope you thought of something positive because this week’s vulnerability news is for a critical plugin vulnerability in a WordPress plugin with, get this: an unauthenticated arbitrary option table update vulnerability in it.

It looks like the vulnerabilities of the past few weeks just keep on repeating themselves, so let’s get to the vulnerability news.

Vulnerability News

Critical plugin vulnerability in Shortcode Addons

Shortcode Addons <= 3.0.2 – Unauthenticated Arbitrary Option Update vulnerability

I may sound like a broken record for everyone who has caught the last few Patchstack weeklies, but here we are again. These arbitrary option update vulnerabilities just keep hitting WordPress components.

This week, the Shortcode Addons plugin has released a patch to address this issue and added proper authorization checks before the plugin updates this sensitive database table in WordPress.

Site owners are strongly encouraged to patch to version 3.0.2 as soon as possible, as its known attackers and spammers love to weaponize these vulnerabilities quickly.

It may sound a bit dreadful that this category of vulnerability (options table updates) keeps coming up in WordPress components. But, I do not dwell on the negativity of these sorts of things, instead, it’s better to look forward, toward what is within your control and what can be changed for the better.

For site owners, the change in their control is patching their software. For me, that change is sharing these weekly security updates for the WordPress community. And, for you, a kind-hearted reader, perhaps you have the ability to change things for the better as well, by telling friends in the WordPress and open source communities about these weekly security updates so that together we all can learn and grow. I know I would be grateful to you for the help.

But, enough of the present, let us look forward to this week’s knowledge share.

Weekly knowledge

Vulnerability backlog

The Patchstack Alliance (formerly Red Team) is still holding on to a backlog of vulnerable WordPress components. You can expect an update in the next few weeks.

We are still waiting on responses from the developers and we have escalated some cases. Stay tuned to the Patchstack Database, blog, and here on these weekly updates for more details.

Our hosting partners will be getting a heads up on how to protect their customers, and Patchstack App customers will be getting a firewall rule to protect their sites.

We are doing what we can to ensure site owners are protected, but, eventually, we will need to release the details on what components are vulnerable, and if the developers are not willing to patch, then the recommendation will be to find a new component.

Looking forward to 2022

For those of you who took the time earlier to reflect back on at least one positive change that you experienced in 2021, I have one more short exercise.

This time, take a moment to think about what positive change may happen in the upcoming year. You do not need to be specific, but remember when you reflected back on 2021, you know that you are capable of positive change.

critical plugin vulnerability

So, take a note (which could be a mental note, physically written down, or digital record) about what positive change you will look forward to for yourself, and think up something positive you could do for others, possibly someone close, possibly a stranger. It can be something small, but it is a good exercise to enter the new year with the mindset of bringing positive change to the world.

Thanks and appreciation

This week’s thanks go out to the developer of the shortcode addons plugin. Thank you for patching that critical vulnerability in your plugin, and protecting the site owners who rely on your code for features on their websites.

And a special thanks to Patchstack and the communities Patchstack has brought together; including the Patchstack Alliance who are diligently reporting vulnerabilities, acting as resistance fighters against threats against WordPress websites across the web.

Patchstack has also brought together a group of security-focused hosting providers like ( Plesk, Pagely, and Gridpane ), these hosting providers share key intelligence with each other and gain knowledge from our Alliance resistance, in order to better defend their customers’ websites from attacks.

Patchstack has brought these communities together in 2021, and we look forward to bringing more security researchers, bug bounty hunters, defenders, developers, and hosting providers together in 2022 to continue to fight.

I will be back next week with more security tips, tricks, opinions, and news on the Patchstack Weekly security update!

The latest in Patchstack Weekly

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.