Nine disclosures this week, with one issue unfixed, one possibly unfixed (see the notes section in the spreadsheet).
We patch the tricks, 4 8 3
You get the treats. Boo!
The vulnerability was initially discovered by Anothony Ferrara who worked with the WordPress security team to get the patch in place. Anthony has a great write-up covering how he discovered it. I’ll echo his statement in that I would like to see WordPress move to real prepared statements, something I’m surprised hasn’t been done already.
Other Security News
If penetration testing, bug hunting, etc. is of interest to you, I’d suggest checking out Alex Biran‘s post on how he hacked Google’s bug tracking system, and was rewarded handsomely. It’s a great read on the steps he took to find the vulnerability, and his thought process on the actions he took to discover the issues.