Nope, today is not friday (sorry). I’m going to be out-of-town tomorrow so I’m doing this week’s report a day early. I’ll also be out next week; as such, there will be no report next week on the 21st. If there are numerous disclosures while I’m out, I’ll do a report shortly after I return. Otherwise, I’ll combine next week’s disclosures into the report on the 28th.
Maybe most security researchers are on vacation right now as there is only one plugin this week, and it’s a repeat from last month: WP Live Chat Support. It appears there was one additional area in the code related to the previous disclosure the author missed and has now corrected.
Other Security News
Wordfence released their monthly WordPress Attack Report yesterday. If you’ve never read one of their monthly report, it contains information on attack traffic and patterns that they’ve seen against their clients over the last month. It’s fantastic information to see, on a much larger scale than most of us have access to, of what and how attackers are targeting WordPress, and I really wish more companies in this space would share their information with the public. Most of the information in this report reinforces that you need to make sure you are keeping your themes and plugins up-to-date (the vast majority of attacks are targeting vulnerabilities that were disclosed years ago), and you are using strong passwords and/or two-factor authentication. One interesting piece of information is that my favorite vulnerable plugin, WP Mobile Detector, was back up to number 1 again in the top targeted plugins (if you saw my Access Denied presentation at WPCampus 2016, you’ll remember WP Mobile Detector was the plugin I used in order to compromise a server).
In other general security news, earlier this week, a fascinating article was released over on The Hacker Blog: The .io Error – Taking Control of All .io Domains With a Targeted Registration. TL;DR – The author was able to take over namespace servers for the ccTLD domain .io. Given the .io domain’s popularity, especially among tech start-ups, this could have been disastrous.
Other WordPress New
As I mentioned last week, v4.8.1 update is being worked on. The bugs scrubs are coming along on time and a beta release of the update is scheduled for Monday, July 17th, a Release Candidate scheduled for Thursday, July 20th and the public release on Tuesday, August 1st.