This week’s list is probably one of the shortest since I started doing these reports: only 6 plugins, with 3 having unfixed vulnerabilities. Unfortunately, one of them is a repeat offender: Photo Gallery by WD, which made an appearance in the May 5, 2017 report for a SQL Injection vulnerability. This time around, it’s an authenticated path traversal issue. Now, if you’re wondering why an Authenticated Path Traversal vulnerability is an issue (they have to be an authenticated administrator, can’t they do most anything anyway?), it isn’t a vulnerability against WordPress but against the things outside of WordPress. In this case, it gives the user the ability to potentially read any file the (web host) site user account has access to. This could be other files stored in the host account outside of the WordPress installation, other accounts files (if the host hasn’t isolated accounts from each other properly), all the way to the system passwd file.
Other Security News
Apache released version 2.4.26 of the Apache Web Server earlier this week which addressed several critical vulnerabilities: mod_mime buffer overread, ap_find_token buffer overread, and ap_get_basic_auth_pw authentication bypass and mod_ssl null pointer dereference. Users of 2.4.X are strongly encouraged to upgrade to 2.4.6. These vulnerabilities also affect the 2.2.X branch and are encouraged to either apply patches to address each vulnerability, or upgrade to 2.2.33 as soon as it is released.
Episode number six of Tradecraft Security Weekly covers finding and exploiting vulnerabilities in a WordPress site using WPScan and Metasploit (both of which are included in BlackArch which I discussed last week). It’s definitely worth a watch/listen if you are interested in WordPress security.
For our Drupal friends, Drupal released an update for both the 7.X and 8.X branches that addresses one critical vulnerability (remote code execution), one moderately critical vulnerability (access bypass for uploaded files) and one less critical vulnerability. Administrators are encouraged to update as soon as possible.
Last, I’m excited to see that Wordfence has added a Removed Plugin alert to their security plugin (though they are not the first to offer this service). I have always been of the opinion that WordPress should notify you when you are using a plugin that is no longer available in the public repository (though the WordPress core team disagrees). Currently, if you are using a plugin in your site that has been removed from the public repository, for any reason, as the site owner you do not receive a notification of any kind. This means you could be running a plugin that has an actively exploited vulnerability, or a plugin that has been abandoned. As an administrator you need to know when a plugin’s status has changed so you can make an informed decision about what to do. It’s one of the main reasons why I started the vulnerable plugins report to begin with: so site owners have some indication of when a plugin they are using has an issue. Given Wordfence’s install base, I applaud Wordfence for including this information in the free version of their plugin to get this vital information out to as many people as possible.