Blog: Vulnerable WordPress Plugins Report for the Week of April 5, 2019

Vulnerable Plugins

There are twenty-two items on the list this week, with six unfixed. The issue with the most visibility this week by far, was the controversy surrounding the Pipdig Power Pack (P3) plugin.  If you’re not familiar with what happened, I would suggest reading the write-up by WordFence and an extremely thorough write-up by Jem Jabella.

View this week’s vulnerable plugins list.

Other WordPress Security News

It was discovered earlier this week that the official WordPress. com iOS app was leaking its authentication token. If you’re a user of the application you should update to version 11.9.1. as soon as possible.

Other WordPress News

As of version 5.2 (due out at the end of this month), the minimum requirement for PHP is being moved up to version 5.6.20. Given that PHP 5.6 reached end-of-life at the end of 2018, we’ll hopefully see the minimum requirement for PHP bumped up to version 7 some time later this year.

Other Security News

Earlier this week, Apache foundation released version 2.4.39 which fixed a privilege escalation issue present in versions 2.4.17 through 2.4.38 of Apache Web Server. This is particularly worrisome in shared web hosting environments with untrusted users that have the ability to create scripts (php, perl, etc).

GNU released version 1.20.2 of wget which addresses an unspecified buffer overflow vulnerability.

It was disclosed earlier this week that a flaw in the Closure javascript library used by Google Search, docs, maps, etc. left the search engine (and likely other google products) open to a cross-site scripting vulnerability in the fall of last year and earlier this year.

WPCampus

In case you missed the announcement, the dates and locations for WPCampus 2019 have been officially released: July 25-27 at Lewis & Clark College in Portland, Oregon!!! Call for speakers is open until May 3rd so you get your submissions in ASAP!

 

 

Paul Gilzow

Programmer Analyst, University of Missouri@gilzowhttp://missouri.edu/

Web application security and accessibility evangelist. Software instructor. Conference lecturer and presenter.

Leave a Reply

Your email address will not be published. Required fields are marked *