Vulnerable Plugins

Six disclosures this week, with three issues unfixed.

View this week’s vulnerable plugins list.

The most interesting disclosure this week, in my opinion, is that for the Animated Weather Widget plugin reported by WordFence.  While the plugin itself did not contain a vulnerability, the plugin generated an iframe that contained content from weatherfor.us which include Crypto Mining code.  This isn’t the first time we’ve heard of crypto mining software being snuck onto a WordPress site, nor the first time it’s shown up on other types of sites, but the first time I’ve heard of it being snuck on in this manner.  It should be a wake-up call to any plugin and theme developers that might include code, be it javascript or html, from other sites that you will have to diligently inspect that code’s contents before exposing it to your users.

Other Security News

I’m not a sysadmin so I don’t pay as close attention to disclosures in the rest of the stack as I do disclosures in the application layer.  However, I noticed recently that a buffer overflow vulnerability was disclosed for many versions of PHP which was patched at the end of October. If your institution is like mine, they only patch servers once a month.  In this case, the patch was released after the patch window for October, and well before the window for November. I would encourage you to check your institution’s version to see what version you have installed and work with your system administrator(s) to do an emergency patch if you are running a vulnerable version.

Paul Gilzow

Programmer Analyst, University of Missouri@gilzowhttp://missouri.edu/
Web application security and accessibility evangelist. Software instructor. Conference lecturer and presenter.

Leave a Reply

Your email address will not be published. Required fields are marked *