The WPCampus Community Blog

WPCampus is excited to launch a large-scale research project on “the state of WordPress in higher education” in partnership with our friends at Human Made. This project aims to spotlight the challenges, goals, frustrations, hopes, and dreams of people working with WordPress in higher education. We'll examine organizational considerations, tech stacks, governance, and much more.…

Meeting date/time: Friday, December 15, 2023 at 3:30pm Eastern Attendees: Ed Beck, Rachel Cherry, Phil Crumm, Kiera Howe, Dash Kees, Reed Piernock, Eric Sembrat Guests: Bret Farley, Kevin Grimley Invited: L. Danielle Baldwin, Ed Beck, Rachel Cherry, Phil Crumm, Kiera Howe, Dash Kees, Reed Piernock, Eric Sembrat Goals Vote on a change to the organization…

Meeting date/time: Friday, November 17, 2023 at 3:30pm Eastern Attendees: L. Danielle Baldwin, Ed Beck, Rachel Cherry, Phil Crumm, Dash Kees, Kiera Howe, Reed Piernock, Eric Sembrat Guests: Kevin Grimley, Jason Woodward Invited: L. Danielle Baldwin, Ed Beck, Rachel Cherry, Phil Crumm, Dash Kees, Kiera Howe, Reed Piernock, Eric Sembrat Goals Identify reviewers for the…

ICYMI: WPCampus is co-hosting a free online event with Human Made next week on Thursday, July 18. The event will draw on key themes relevant to everyone working with WordPress in higher education and should provide a great preview of what's to come later this month at WPCampus 2024. You can still sign up for…

Meeting date/time: Friday, October 20, 2023 at 3:30pm Eastern Attendees: Ed Beck, Rachel Cherry, Kiera Howe, Reed Piernock, Eric Sembrat Guests: Jason Woodward Invited: L. Danielle Baldwin, Ed Beck, Rachel Cherry, Phil Crumm, Dash Kees, Kiera Howe, Reed Piernock, Eric Sembrat Goals Review and approve the Conflict of Interest. Identify reviewers for the WPCampus Bylaws.…

Meeting date/time: Friday, September 15, 2023 at 3:30pm Eastern Attendees: Ed Beck, Rachel Cherry, Kiera Howe, Dash Kees, Eric Sembrat Guests: Kevin Grimley Invited: L. Danielle Baldwin, Ed Beck, Rachel Cherry, Phil Crumm, Dash Kees, Kiera Howe, Reed Piernock, Eric Sembrat Goals Designate a WPCampus representative for HighEdWeb 2023 in Buffalo. Discuss the best method…

Meeting date/time: Friday, August 18, 2023 at 3:30pm Eastern Attendees: L. Danielle Baldwin, Rachel Cherry, Reed Piernock, Eric Sembrat Guests: Shanta Nathwani Invited: L. Danielle Baldwin, Ed Beck, Rachel Cherry, Phil Crumm, Dash Kees, Kiera Howe, Reed Piernock, Eric Sembrat Goals Designate a WPCampus representative for HighEdWeb 2023 in Buffalo. Discuss the best method for…

As an organization, WPCampus is working to produce high-quality, informative, and engaging content that provides value to the higher education community throughout the year (and not just at our annual conference). To get the ball rolling, we are excited to announce an upcoming free event, perfect for anyone working with WordPress in higher education. Join…

The next semi-monthly meeting of the WPCampus Board of Directors is 18 June 2024 at 4:00pm (Eastern). These meetings are held on the 1st and 3rd Tuesday of each month, and are open to the public. All are welcome to join us! There will be time on the agenda for community Q&A or feedback. The…

Great news! We've extended the Early Bird pricing and the speaker proposal deadline for WPCampus 2024. You now have until Wednesday, May 22 to take advantage of these opportunities. We hope to see you at WPCampus 2024! Register for WPCampus 2024 Early Bird tickets are available for $175 until Wednesday, May 22. After this date, prices…

The next monthly meeting of the WPCampus Board of Directors is 19 April 2024 at 3:30pm (Eastern). These meetings are held on the 3rd Friday of each month, and are open to the public. All are welcome to join us! There will be time on the agenda for community Q&A or feedback. The meeting is…

About the event WPCampus 2024 will take place at Georgetown University from July 31 - Aug 2 for the WPCampus community, a gathering of web professionals, educators, and people dedicated to the confluence of accessibility and WordPress in higher education. WPCampus 2024 will be our eleventh conference. Visit the WPCampus conferences page to learn more…

Help us welcome Nathan Wallace and Kevin Shoffner to the Board of Directors. WPCampus is excited to announce the latest additions to our board of directors. Kevin Shoffner and Nathan Wallace have both joined the board and we welcome their contributions to our organization. Kevin Shoffner joins the board as an at-large board member, and…

The next monthly meeting of the WPCampus Board of Directors is 15 March 2024 at 3:30pm (Eastern). These meetings are held on the 3rd Friday of each month, and are open to the public. All are welcome to join us! There will be time on the agenda for community Q&A or feedback. The meeting is…

The next monthly meeting of the WPCampus Board of Directors is 19 January 2024 at 3:30pm (Eastern). These meetings are held on the 3rd Friday of each month, and are open to the public. All are welcome to join us! There will be time on the agenda for community Q&A or feedback. The meeting is…

WPCampus is thrilled to announce our WPCampus 2024 conference location: Georgetown University in Washington, D.C. We are also introducing our new Job Board, our search for a new Director of Events, and changes to our leadership model.

Meeting date/time: Friday, July 21, 2023 at 3:30pm Eastern Attendees: L. Danielle Baldwin, Ed Beck, Rachel Cherry, Kiera Howe, Dash Kees, Reed Piernock, Eric Sembrat Invited: L. Danielle Baldwin, Ed Beck, Rachel Cherry, Phil Crumm, Dash Kees, Kiera Howe, Reed Piernock, Eric Sembrat Goals Follow up on the 2023 conference. Charter the 2024 conference location…

The next monthly meeting of the WPCampus Board of Directors is 15 December 2023 at 3:30pm (Eastern). These meetings are held on the 3rd Friday of each month, and are open to the public. All are welcome to join us! There will be time on the agenda for community Q&A or feedback. The meeting is…

Meeting date/time: Friday, June 16, 2023 at 3:30pm Eastern Attendees: Ed Beck, Rachel Cherry, Kiera Howe, Dash Kees, Eric Sembrat Invited: L. Danielle Baldwin, Ed Beck, Rachel Cherry, Phil Crumm, Dash Kees, Kiera Howe, Reed Piernock, Eric Sembrat Goals Discuss the Board’s decision regarding the organization’s disconnection with Pantheon, and how to create and announce…

The next monthly meeting of the WPCampus Board of Directors is 17 November 2023 at 3:30pm (Eastern). These meetings are held on the 3rd Friday of each month, and are open to the public. All are welcome to join us! There will be time on the agenda for community Q&A or feedback. The meeting is…

Meeting date/time: Friday, May 19, 2023 at 3:30pm Eastern Attendees: Danielle Baldwin, Ed Beck, Rachel Cherry, Phil Crumm, Kiera Howe, Dash Kees, Reed Piernock, Eric Sembrat Guests: Jose Debuchy, Joni Halabi Invited: L. Danielle Baldwin, Ed Beck, Rachel Cherry, Phil Crumm, Dash Kees, Kiera Howe, Reed Piernock, Eric Sembrat Goals Review the Code of Conduct.…

Meeting date/time: Friday, March 17, 2023 at 3:30pm Eastern Attendees: Ed Beck, Rachel Cherry, Phil Crumm, Kiera Howe, Dash Kees, Reed Piernock, Eric Sembrat Invited: L. Danielle Baldwin, Ed Beck, Rachel Cherry, Phil Crumm, Dash Kees, Kiera Howe, Reed Piernock, Eric Sembrat Goals Address Pantheon's current statement regarding their hosting of hateful sites, and create…

Meeting date/time: Friday, March 17, 2023 at 3:30pm Eastern Attendees: Ed Beck, Rachel Cherry, Phil Crumm, Kiera Howe, Dash Kees, Reed Piernock, Eric Sembrat Invited: L. Danielle Baldwin, Ed Beck, Rachel Cherry, Phil Crumm, Dash Kees, Kiera Howe, Reed Piernock, Eric Sembrat Goals Approve the final charter for WPCampus 2023 conference. Discuss the addition of…

Interested in bringing the annual WPCampus conference to your campus this summer? Let’s talk! WPCampus is inviting interested schools to apply to host the 2024 annual WPCampus conference. WPCampus is a community of web professionals, educators, and people dedicated to the confluence of WordPress and accessibility in higher education. The WPCampus annual conference is a…

The next monthly meeting of the WPCampus Board of Directors is 15 September 2023 at 3:30pm (Eastern). These meetings are held on the 3rd Friday of each month, and are open to the public. All are welcome to join us! There will be time on the agenda for community Q&A or feedback. The meeting is…

The next monthly meeting of the WPCampus Board of Directors is 18 August 2023 at 3:30pm (Eastern). These meetings are held on the 3rd Friday of each month, and are open to the public. All are welcome to join us! There will be time on the agenda for community Q&A or feedback. The meeting is…

The next monthly meeting of the WPCampus Board of Directors is 21 July 2023 at 3:30pm (Eastern). These meetings are held on the 3rd Friday of each month, and are open to the public. All are welcome to join us! There will be time on the agenda for community Q&A or feedback. The meeting is…

In light of Pantheon's decision to host the web presence of hate groups, the WPCampus Board of Directors has unanimously voted to terminate WPCampus' partnership with Pantheon. WPCampus and Pantheon have had a longstanding relationship since our formation, with their sponsoring of WPCampus events, and with donating hosting services for our web presence. These contributions…

The WPCampus 2023 planning committee is thrilled to announce that Anna Cook, a Senior Inclusive Designer at Microsoft, will join us in New Orleans to present the first-ever keynote presentation at a WPCampus conference. At WPCampus, our organization (and conference) has three areas of focus: WordPress, accessibility, and higher education. But accessibility is much more…

The next monthly meeting of the WPCampus Board of Directors is 19 May 2023 at 3:30pm (Eastern). These meetings are held on the 3rd Friday of each month, and are open to the public. All are welcome to join us! There will be time on the agenda for community Q&A or feedback. The meeting is…

Early bird pricing ends on Monday, May 8 We know how challenging it can be to deal with budgets in a higher education environment. Since we are just now releasing the schedule, we are granting one more business day to grab early bird pricing. Pro tip: use the $50 you save on the general admission…

Format of past events For past in-person WPCampus events, we have always live-streamed our sessions during the event and published them online for free (you can access our content in the WPCampus Learning Library). Otherwise, we have limited the majority of interactions at our in-person events to our in-person attendees. We mostly contained the event…

In April 2022, Rachel Cherry announced she was stepping down as the Director of WPCampus. WPCampus formed a community working group to design, implement, and lead our community transition toward a new governance model. The goal of the WPCampus Leadership Transition working group was to define and implement a new baseline leadership model for the…

Meeting date/time: Friday, February 10, 2023 at 1pm Eastern Attendees: Dash Kees, Kiera Howe, Reed Piernock, Eric Sembrat Invited: L. Danielle Baldwin, Ed Beck, Rachel Cherry, Phil Crumm, Dash Kees, Kiera Howe, Reed Piernock, Eric Sembrat Goals Charter the committee for the 2023 conference. Schedule monthly meetings. Finalize publication procedure for board meeting minutes. Establish…

The WPCampus community is thrilled to announce that registration for WPCampus 2023 will open next week on Wednesday, February 22, 2023. And registration won’t be the only thing up for grabs: you will also be able to reserve your on-campus lodging, respond to our call for presenters, and become a sponsor. Visit the WPCampus 2023…

Hello, friends! WPCampus has been patiently waiting to host an event in New Orleans, and we are thrilled to head to Tulane University in New Orleans (USA) on July 12-14, 2023 (Wednesday – Friday) for WPCampus 2023, our annual (sometimes online, sometimes in-person) summer conference. WPCampus 2023 will be our fourth attempt to host an…

In April, Rachel Cherry announced she was stepping down as the Director of WPCampus. Since the announcement, WPCampus formed a community working group to design, implement, and lead our community transition toward a new governance model. Our community is so grateful for all the time and energy donated by the transition working group. This group…

Hello everyone, and happy summer! I come bearing great news, a piece of bad news, and an update on our leadership transition process. WPCampus 2022 will not take place The bad news is that, as I'm sure you have guessed by now, we will not have an event in September. WPCampus 2022, our annual in-person…

Hello dear friends and WPCampus community members. It has been quite some time since I shared an update. I hope 2022 has been good for you. A lot of intense things are going on right now. I hope you're taking care of yourself. I have two significant announcements for you. I will do my best…

The video recordings from the WPCampus 2021 Online presentations are now available and accessible via the event schedule. All videos are captioned and will soon include full transcripts. Planning ahead for WPCampus 2022 COVID-pending, we hope we will be able to gather in person at Tulane University in New Orleans, Louisiana for WPCampus 2022. The event…

One of our WPCampus traditions is to use the “previously allocated to swag” portion of our event planning budget to support a nonprofit organization. Swag is fun, but it can be wasteful. We choose to use those funds to help people in and outside of our community. Traditionally, we sponsor a fundraising campaign to support…

WPCampus 2021 Online is right around the corner and the organizing committee needs your help to nominate panelists for two conference sessions. If you would like to participate or would like to nominate someone else who you think would be a good fit, we encourage and ask you to fill out our nomination form. Registration…

The WPCampus community is thrilled to announce the schedule for WPCampus 2021 Online and open registration. The event will take place September 21-22, 2021. Register for WPCampus 2021 Online What's different for WPCampus 2021 Online We had so many outstanding proposals for this year's online event that we had to add a third track and add a second round…

ICYMI: The WPCampus community has announced our 2021 conference, WPCampus 2021 Online, in an online format on September 21-22 (Tuesday-Wednesday). Here are a few updates regarding the event, including: Our call for volunteers Our call for sponsors Reminder about our call for proposals (ends May 26) Call for WPCampus 2021 volunteers WPCampus is 100% powered by volunteers and…

The WPCampus community is excited to announce we will present our 2021 conference, WPCampus 2021 Online, in an online format on September 21-22 (Tuesday-Wednesday). About the event WPCampus 2021 Online is a free online conference for the WPCampus community, a gathering of web professionals, educators, and people dedicated to the confluence of accessibility and WordPress…

Due to COVID, and the ongoing instability surrounding in-person events, WPCampus 2021 will be presented in an online format. Not being able to spend time together in-person (again) is rough, but we hope to be able to meet in New Orleans for WPCampus 2022. Besides, being online means greater access and increased opportunities for all…

Since the beginning of WPCampus, a key element of our community's success and growth has been ensuring all members have the chance to be heard when it comes to planning and decision-making. It is one of my favorite aspects of how we get things done here at WPCampus. However, after five years of the same…

One of our WPCampus traditions is to use the “previously allocated to swag” portion of our event income to support a nonprofit organization. Traditionally, we sponsor a fundraising campaign to support a local organization. For WPCampus 2019, we raised $3,000 for Free Geek in Portland, Oregon. For WPCampus 2020 Online, we decided to recognize and support…

The WPCampus 2020 Online planning committee is proud to announce the WPCampus 2020 Online schedule and open registration. How to register for the event WPCampus 2020 Online is a free event thanks to the generous support of our sponsors. You can register for WPCampus 2020 Online on the event website. Registration is required to access…

One of our WPCampus traditions is to use the "previously allocated to swag" portion of our event income to support a nonprofit organization. Swag is fun, but it can be wasteful. We choose to use those funds to help people in and outside of our community. Traditionally, we sponsor a fundraising campaign to support a…

On April 23, the Drupal Association announced “the first-ever virtual DrupalCon” which will take place July 14-17, 2020, the same time period as WPCampus 2020 Online. We felt there is enough crossover in our community to at least consider moving our dates so community members can attend both events. We surveyed the community and the…

The WPCampus community decided to pivot our 2020 in-person event to an online conference and re-scheduled to convene in New Orleans, Louisiana, for WPCampus 2021. WPCampus 2020 Online will take place July 15-17, 2020. The three-day online conference will include a variety of formats, including general lectures, lightning talks, longer-form sessions like workshops, and more.…

The impact of COVID-19 is being felt around the world. While WPCampus 2020 is still four months away, the effects of COVID-19 are rapidly evolving, and the emotional and physical health of our members is our primary concern. We also strive to be positive global citizens. Doing our part to stop the spread of the…

A few months ago, The WPCampus community established a redesign working group with the goal of redesigning our community's main website: https://wpcampus.org. It's been an exciting project! The amazing group has been hard at work to create a new design and establish a decoupled infrastructure using WordPress and Gatsby, a static site generator. Complete a…

The call for WPCampus 2020 session proposals is open! Join us in New Orleans for our fifth-annual conference and share all of the incredible things you're doing to advance Higher Education through WordPress and Accessibility. Apply to speak at WPCampus 2020 What is WPCampus 2020? WPCampus 2020 is a three-day conference event filled with sessions, networking,…

The WPCampus community is excited to announce that our WPCampus 2020 call for proposals will be opening next week! We’re looking forward to another year of wonderful ideas, demonstrations, brainstorming, and benchmarking. What is WPCampus 2020? WPCampus 2020 is a three-day conference event filled with sessions, networking and social events. It will cover a variety…

The WPCampus community is excited to announce the dates for our 2020 in-person conference. When and where Join us July 15-17, 2020 for three days of learning, sharing, and networking on the beautiful campus of Tulane University in New Orleans, Louisiana! We're grateful to the team at Tulane University IT for sponsoring our event and…

29 vulnerabilities this week, with 5 needing a fix (with some, possibly,  on the way). The first 3 vulnerabilities in the list are confirmations of possible vulnerabilities from last week. Search Exclude returns as last week's fix wasn't sufficient, LMS / VLE plugin LifterLMS has a serious vulnerability, Slimstat analytics returns for the third time…

26 vulnerabilities this week, with 7 needing a fix (with some, possibly,  on the way). Formidable Forms appears for the fourth time in a month, so you may wish to look elsewhere. Landing Pages by SwiftCloud is still on the directory (but closed), but the latest commit has deleted everything for unknown security reasons. In…

27 vulnerabilities this week, with 4 unfixed, but 1 being worked on. WooCommerce PayU India (PayUmoney – PayUbiz) , Instamojo for WooCommerce and DW Mega Menu are all closed and show no sign of a fix - Ovic Addon Toolkit is closed, but is being worked on. It is an arbitrary file deletion vulnerability, so…

Vulnerable Plugins There are eighteen issues this week, with two unfixed, and five where fixes have been committed but aren't showing as available yet in the public repository.  The most critical this week are a Privilege Escalation vulnerability in WP Front End Profile (fix available), a CSV Injection vulnerability in Import Export WordPress Users (fix…

Vulnerable Plugins There are eighteen issues this week, with eight unfixed.  The most critical this week is an Arbitrary File Upload vulnerability via Cross-Site Request Forgery vulnerability in the Maintenance plugin. No fix is available as of this publishing date, and the plugin has been closed in the public repository. View this week's vulnerable plugins…

Vulnerable Plugins There are eighteen issues this week, with three unfixed.  The most critical this week are Privilege Escalation vulnerabilities via Unauthenticated Option Update vulnerabilities in the Donations, Booking, Learning Courses, and Restaurant Reservations plugins (fixes available for all). View this week's vulnerable plugins list. Other News I'm back! Huge thank you goes out to…

23 vulnerabilities this week, with 9 unfixed (some are commercial plugins where a change log isn't easily available, some are dot org plugins are being worked on - see the notes column for more) View this week’s vulnerable plugins list        

27 vulnerabilities this week (which means so far in july we've had 105 issues), with 4 unfixed. It's bad week for cache plugins, with WP Super Cache, WP fastest cache and breeze all having fixes. View this week’s vulnerable plugins list The WPCampus 2019 conference is currently happening! Check out the schedule for lots of…

Our thanks to Funnelback, HelpJet, Milepost 42, and Sticker Mule for supporting WPCampus 2019.

Our thanks to ACF, DragonTeach, elearningfreak, Happy Prime, LearnDash, Pgogy Webstuff, Platform.sh, and SMILE for supporting WPCampus 2019.

26 issues this week, with 6 so far unfixed - though Advanced CF7 DB (Advanced Contact form 7 DB) seems to be being worked on. All-in-one migration has multiple issues with one remaining unresolved. View this week’s vulnerable plugins list

Monarx provides an application security solution that protects WordPress websites. We are so grateful to have this company sponsor WPCampus 2019.

Pantheon is a website operations platform for Drupal and WordPress. We are so grateful to have this company as the doctoral sponsor for WPCampus 2019.

Modern Tribe is a digital agency for the modern university. We are so grateful to have this company sponsor WPCampus 2019.

CampusPress has powered WordPress Multisite networks for thousands of schools and universities around the world. WPMU DEV is giving WordPress superpowers to users around the world. We are so happy to have these companies as sponsors of WPCampus 2019.

Registration for WPCampus 2019 may be closed but no worries! You can still attend many of our amazing sessions virtually. With the exception of workshops, sessions from WPCampus 2019 will be live streamed with captioning, thanks to the generous support of our partners at Pantheon. Visit the watch page on Friday, July 26 and Saturday,…

Vulnerable Plugins There are twenty nine issues this week, with only one unfixed.  The most critical this week are Authenticated (low privileged user) Arbitrary Options Update vulnerability in the One Click SSL plugin (fix available) and in the WPTF Hybrid Composer plugin (fix available), and multiple critical issues in the File Manager (by mndpsingh287) plugin…

Vulnerable Plugins There are twenty four issues this week, with five unfixed.  The most critical this week is an unfixed Authenticated Arbitrary File Upload vulnerability with the MapsSVG Lite plugin and an unfixed Authenticate Remote Code Execution vulnerability in the Newsletter plugin. Both plugins have been closed in the public plugin repository. In addition, there…

Vulnerable Plugins There are thirty four issues this week, with four unfixed.  The most critical this week is an unfixed Arbitrary Password Reset vulnerability with the Ultimate Members plugin.  Since this is a premium plugin, I do not have access to the source to verify.  According to the disclosure, the vendor has stated the fix…

For the WPCampus 2019 conference, the WPCampus community is excited to spend July 25 - 27 learning, networking, and sharing at Lewis and Clark College in Portland, Oregon. Every year at our events, we, as organizers, have enjoyed planning swag for our attendees, from travel mugs to bean bags for our phones. Swag is a…

Vulnerable Plugins There are twenty issues this week, with three unfixed.  The most critical this week are an Arbitrary Settings Update vulnerability in Real Estate Manager (unfixed), a Cross-Site Request Forgery vulnerability that can lead to an Arbitrary File Upload in LionScripts: IP Blocker Lite (fix available), and a Cross-Site Request Forgery vulnerability that can…

Vulnerable Plugins There are nineteen issues this week, with five unfixed.  The most critical this week are two Arbitrary File Upload vulnerabilities in Finale WooCommerce Sale Countdown (fix available) and in LionScripts IP Blocker Lite (unfixed, remove immediately) plugins, an Authenticated Arbitrary File Upload vulnerability in Shipping Servientrega Woocommerce (unfixed, remove immediately), and an Authenticated…

Vulnerable Plugins There are thirteen issues this week, with five unfixed.  The most critical this week is an Arbitrary File Upload vulnerability in Crelly Slider, discovered by NinTechNet. View this week's vulnerable plugins list.

Vulnerable Plugins There are sixteen issues this week, with two unfixed.  The most critical this week are a privilege escalation issue in Slick Popups and an Unauthenticated Administrator Creation vulnerability in Convert Plus. Both issues were discovered by WordFence/Defiant. View this week's vulnerable plugins list.

Vulnerable Plugins There are fifteen issues this week, with five unfixed.  The most critical this week is in WPGraphQL which includes Create administrative users Post comments on articles bypassing article restrictions and global moderation Retrieve content of password-protected posts/articles/pages Retrieve full list of registered users in the platform Retrieve full list of media, comments, themes…

The WPCampus community is delighted to announce our official Diversity, Equity, and Inclusion statement. This statement came from a desire by the WPCampus leadership to prioritize issues of equity and diversity. As many of you know, accessibility is a major focus for our initiatives and events. We believe that accessibility can only be achieved through…

Vulnerable Plugins There are nineteen issues this week, with five unfixed.  The most critical this week is the Sensitive Information Disclosure, Arbitrary File Deletion, and multiple Cross-Site Scripting vulnerabilities in Ultimate Member discovered by Sucri earlier this week. There was also a Local File Inclusion vulnerability disclosed in Photo Gallery by 10Web that does not…

Vulnerable Plugins Twenty-two issues over the last two weeks, with only two issues unfixed. The most critical updates are the Remote Code Execution vulnerability in the plugins W3 Total Cache, and Kanzu Support Desk and then Arbitrary File Upload vulnerabilities in the plugins Polldeep, User Submitted Posts, and WP Live Chat Support Pro. View this…

WPCampus is excited to announce that our accessibility testing vendor, Tenon LLC, will host a public webinar and question-and-answer session to discuss the results of the Gutenberg accessibility audit. The webinar will take place Monday, May 13, 2019 at 12:00 PM CDT. You must register to attend.

In late 2018, WPCampus released a request for proposals to conduct an accessibility audit of the WordPress block editor, also known as Gutenberg. In early 2019, we announced our selection of Tenon, LLC to conduct the audit. We are excited to share the results of the Gutenberg accessibility audit.

Vulnerable Plugins There are nine issues this week, with five unfixed.  The two most critical are an Arbitrary File Upload vulnerability in the WooCommerce Checkout Manager plugin (closed in public repository) and an Authenticated Arbitrary Options Update in Free Adwords Campaigner plugin (also closed in the public repository). You should remove both plugins immediately until…

Vulnerable Plugins Fifteen issues over the last two weeks, with five issues unfixed. View this week's vulnerable plugins list.

Vulnerable Plugins There are twenty-two items on the list this week, with six unfixed. The issue with the most visibility this week by far, was the controversy surrounding the Pipdig Power Pack (P3) plugin.  If you're not familiar with what happened, I would suggest reading the write-up by WordFence and an extremely thorough write-up by…

We’re excited to officially announce WPCampus 2019! Join us July 25-27 at Lewis & Clark College in Portland, Oregon. About WPCampus 2019 WPCampus is a three-day conference event filled with sessions, networking and social events. It will cover a variety of topics, focused on accessibility and WordPress in higher education. Visit the About page to…

Vulnerable Plugins There are seventeen items on the list this week, with twelve unfixed. View this week's vulnerable plugins list. Other Security News PuTTY released version 0.71 which addresses multiple security issues. PuTTY is often bundled with other software packages on Windows, so if you work on a Windows machine, double-check your PuTTY client version…

Vulnerable Plugins There are eleven items on the list this week, with three unfixed. The most critical this week are the Unauthenticated Arbitrary wp_options import vulnerability in Easy WP SMTP, and the Unauthenticated SQL Injection vulnerability in Better Search both of which have been fixed in their most recent updates. View this week's vulnerable plugins…

Hello WPCampus friends! We’re excited to announce that our Call for Proposals for this year’s conference will be opening soon! We’re looking forward to another year of wonderful ideas, demonstrations, brainstorming, and benchmarking. Session Topics As in past years, we’re looking for a variety of topics on anything that might bring value to our community.…

Vulnerable Plugins There are eleven items on the list this week, with three unfixed. The most critical this week are the Sensitive Information Disclosure/Authenticated Arbitrary File Read vulnerability in Caldera Forms Pro, and the Privilege Escalation vulnerability in SiteGround Optimizer. Both issues were discovered by Sucuri. View this week's vulnerable plugins list. Other WordPress Security…

Vulnerable Plugins There are twenty items on the list this week, with the vast majority of them related to the Freemius framework disclosure that happened last week.  WPVulnDB also has a list of plugins that use Freemius that have been updated. There are three additional plugins in this week's list that were updated for security…

Vulnerable Plugins Seventeen disclosures since last week, with four issues unfixed. View this week's vulnerable plugins list. We're likely to see many more plugins updated over the next week as Freemius, a freemium framework used in thousands of plugins and themes, recently patched an authenticated options updated vulnerability. They attempted to give developers some time…

Vulnerable Plugins Nine disclosures since last week, with all issues fixed. View this week's vulnerable plugins list.

Vulnerable Plugins Twenty-one disclosures since last week, with eight issues unfixed. View this week's vulnerable plugins list.

Vulnerable Plugins Twelve disclosures since last week, with four issues unfixed. The most serious is an Arbitrary File Upload vulnerability in the plugin Slider by 10Web. It appears that the developer is trying to fix the issue, but as of right now (2:00PM CST) it remains unavailable in the public repository. You are encouraged to…

Vulnerable Plugins Three disclosures since last week, with all issues fixed. However, right as I was writing this post, WordFence released a post detailing multiple vulnerabilities in the plugin Total Donations that can lead to a complete site take-over. The plugin appears to be abandoned so there is a high chance it will not be…

Vulnerable Plugins Fifteen disclosures over the last two weeks, with twelve issues unfixed. View this week's vulnerable plugins list. The most severe issue from this report is a Confidential Information Leakage vulnerability with the Social Network Tab plugin that was found to be storing twitter account access tokens and secrets in the source code of the…

WPCampus is excited to announce our selection of Tenon LLC to conduct an accessibility audit of the Gutenberg content editor. Founded by Karl Groves, Tenon is a leader in the accessibility testing field. We look forward to working with the team at Tenon over the coming weeks. Thank you to all of the companies who…

Vulnerable Plugins Six disclosures over the last two weeks, with three issues unfixed. View this week's vulnerable plugins list. Luckily, the unfixed vulnerabilities are all in plugins that are fairly old with small installation numbers.

Vulnerable Plugins Six disclosures since last week, with four issues unfixed. View this week's vulnerable plugins list. I won't be doing a report next week due to the holidays.  I'll send out a two-week report the first Friday of 2019.

Vulnerable Plugins Thirteen disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Other WordPress Security News Version 5.0.1 was released earlier this week and corrects seven issues. If you have not upgraded to version 5.0 yet, fixes for all version back to 3.7 are available. Other Security News As a…

Vulnerable Plugins Fifteen disclosures since last week, with zero issues unfixed. View this week's vulnerable plugins list. Four issues are critical and should be updated immediately: Redirection for versions 3.6.2 and earlier has a potential remote code execution vulnerability Toolset Type for versions 2.3.3 and earlier has a privilege escalation vulnerability WooCommerce for versions 3.4.5…

Vulnerable Plugins There were four disclosures over the last two weeks, with one issue unfixed. View this week's vulnerable plugins list. A weekly report on a Monday?  Yeah.  There were a lot of disclosures during the Thanksgiving week to sort through.  Unfortunately, the vast majority of them were false positives and/or inaccurate and it took…

Update to this post: Our vendor has been selected and our final fundraising goal has been set at $31,200. You can learn more about the entire project by attending The WPCampus Gutenberg Accessibility Audit session at WPCampus Online 2019. Last month, WPCampus released a request for proposals to conduct an accessibility audit of the WordPress…

Vulnerable Plugins Five disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Quick note that there will not be a report next week due to the holidays. I'll do a two week report on November 30th.

Vulnerable Plugins Eleven disclosures since last week, with three issues unfixed, one unknown. View this week's vulnerable plugins list. Far and away the most serious issue this last week was a combined set of vulnerabilities in the WP GDPR Compliance plugin that could allow attackers to add themselves to a site as an administrator and/or install…

Vulnerable Plugins There were eight disclosures over the last two weeks, with two issues unfixed, one unknown. The disclosures that will affect the most people are the stored cross-site scripting vulnerabilities in Elegant Themes' Divi Builder plugin, Divi theme and Extra theme. If you're using those products be sure to get the latest updates from Elegant…

WPCampus has released a request for proposals seeking an accessibility audit of the WordPress "Gutenberg" editor. Our organization is sensitive to the legal requirements set by Section 508 of the Rehabilitation Act. The recent 508 refresh brought these requirements in line with WCAG 2.0 level AA, an industry standard that helps ensure accessibility. WCAG 2.0…

Vulnerable Plugins There were ten disclosures over the last two weeks, with three issues unfixed. The most serious is an arbitrary file upload vulnerability in the csv2wpec-coupon plugin, which is related to the recently disclosed vulnerability in the Blueimp JQuery File Upload Plugin package. However, there are less than 10 sites with the csv2wpec-coupon so it's unlikely…

Vulnerable Plugins Seven disclosures since last week, with four issues unfixed. View this week's vulnerable plugins list. Other WordPress News Earlier this week, the WordPress core team announced the release date for WordPress version 5.0: November 19, 2018. This means the 4.9.9 release has been shelved unless the core team is unable to release 5.0 before the…

Vulnerable Plugins Eight disclosures since last week, with two issues unfixed, and two unknown. View this week's vulnerable plugins list. Other WordPress Security News There were several reports this week that the United Nation's WordPress site was leaking "thousands or resumes" (The Register has since updated their story after I contacted them).   As it turns out,…

Vulnerable Plugins Ten disclosures since last week, with four issues unfixed, the most serious being an Authenticated Arbitrary File Upload vulnerability in Advanced Contact form 7 DB. View this week's vulnerable plugins list. Other Security News Specifics of the Remote Code Execution vulnerability in Moodle were disclosed earlier this week. The disclosure includes Proof-of-Concept code so…

Vulnerable Plugins Apologies for not sending out a report last week. There were seven disclosures over the last two weeks, with two issues unfixed. View this week's vulnerable plugins list. WordPress News The roadmap for version 4.9.9 was released earlier this week. The schedule currently proposes 4.9.9 being released during the first week of November. …

Vulnerable Plugins Nine disclosures since last week, with four issues unfixed. Additionally, Ninja Forms has released version 3.3.14 which addresses the CSV Injection vulnerability disclosed last week. View this week's vulnerable plugins list. Other Security News Joomla! released version 3.8.12 which addressed three security issues: potential file upload vulnerability, store cross-site scripting vulnerability, and an ACL Violation in custom…

Vulnerable Plugins Five disclosures since last week, with four issues unfixed, the most serious being an unfixed CSV Injection vulnerability in Ninja Forms. View this week's vulnerable plugins list. Other Security News phpMyAdmin released a patch earlier this week that addresses an authenticated, stored cross-site scripting issue.  Similarly, the Apache Foundation released a critical patch earlier…

Vulnerable Plugins Four disclosures since last week, with two issues unfixed. View this week's vulnerable plugins list.  

Vulnerable Plugins Somehow (thankfully) there has been only one public disclosure over the last two weeks: an Unauthenticated Arbitrary File Upload vulnerability in the Ultimate Member plugin that has been patched with version 2.0.23. View this week's vulnerable plugins list. An Unauthenticated Arbitrary File Upload is a critical vulnerability, so you should update this plugin…

Vulnerable Plugins Four disclosures since last week, with one issue unfixed, one unsure but assumed unfixed. View this week's vulnerable plugins list. Yes, I know it's not Friday, but I'll be out of town tomorrow and wanted to go ahead and get the report out. I'll also be out of town next Friday as well…

Vulnerable Plugins Eight disclosures over the last two week, with five issues unfixed, one critical. An authenticated arbitrary file upload vulnerability has been identified in the MapSVGLite plugin that remains unfixed. You should remove the plugin as soon as possible until the issue has been resolved. View this week's vulnerable plugins list. Other WordPress News The…

This post is part of a series featuring sponsors from our WPCampus 2018 conference. Events like WPCampus would not be possible without the support of these amazing organizations. Be sure to check out their services. There’s a quiet dread shared by every higher education web manager. “If you take our logo away from our header,”…

Vulnerable Plugins Ten disclosures over the last two week, with three issues unfixed. View this week's vulnerable plugins list. Other WordPress Security News The big news last week and into this week was the disclosure of an unpatched arbitrary file deletion vulnerability in WordPress core.  Luckily, the vulnerability required a user to have the ability to…

This post is part of a series featuring sponsors from our WPCampus 2018 conference. Events like WPCampus would not be possible without the support of these amazing organizations. Be sure to check out their services and say hi to them in St. Louis. With DDEV, we’re making it easier everyday to get your web development…

Update 20180705: version 4.9.7 has been released and addresses the issue below.  RipsTech (static analysis for PHP) yesterday disclosed an arbitrary file deletion vulnerability in all versions of WordPress.  The vulnerability requires a role of Author or greater in order to exploit.  The exploit allows an authenticated user to delete any file on the server that…

This post is part of a series featuring sponsors from our WPCampus 2018 conference. Events like WPCampus would not be possible without the support of these amazing organizations. Be sure to check out their services and say hi to them in St. Louis. BoldGrid is pleased to announce the sponsorship of the 2018 WPCampus conference.…

Vulnerable Plugins Six disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Other Security News Including this one only because I never imagined someone being held at gunpoint to steal a domain name Sherman Hopkins, Jr., 43, from Cedar Rapids, Iowa, broke into the victim's house, held the victim at…

100+ presentations, two world-class keynotes and a great community. HighEdWeb provides valuable professional development for all who want to explore the unique digital issues facing colleges and universities.

This post is part of a series featuring sponsors from our WPCampus 2018 conference. Events like WPCampus would not be possible without the support of these amazing organizations. Be sure to check out their services and say hi to them in St. Louis. The WPCampus community is proud to announce Pantheon as a President Sponsor…

This post is part of a series featuring sponsors from our WPCampus 2018 conference. Events like WPCampus would not be possible without the support of these amazing organizations. Be sure to check out their services and say hi to them in St. Louis. CampusPress is thrilled to help support WPCampus for the 3rd year in…

Vulnerable Plugins Ten disclosures since last week, with two issues unfixed. View this week's vulnerable plugins list. Other Security Came across a fun little security testing playground.  Allows you to spin up multiple vulnerable applications to practice security concepts and exploits and provide first-hand experience.  Each one has an explanation of the vulnerabilities in the…

This post is part of a series featuring sponsors from our WPCampus 2018 conference. Events like WPCampus would not be possible without the support of these amazing organizations. Be sure to check out their services and say hi to them in St. Louis. 10up is honored to support WPCampus this year through sponsorship, speaking, and…

Vulnerable Plugins Seventeen disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Other WordPress Security Defiant released a whitepaper earlier this week covering a new WordPress malware they've been tracking and have dubbed "BabaYaga". Ryan Dewhurst (@ethicalhack3r and contributor to WPScan) released a report covering how many sites of the…

This post is part of a series featuring sponsors from our WPCampus 2018 conference. Events like WPCampus would not be possible without the support of these amazing organizations. Be sure to check out their services and say hi to them in St. Louis. The internet was born on university campuses. It started with an "Interface…

Vulnerable Plugins Ten disclosures since last week, with five issues unfixed. View this week's vulnerable plugins list. Other Security News As I mentioned last week, a new malware, dubbed VPNFilter, was discovered to be targeting home/SOHO network devices.  The FBI has released an advisory recommending all owners of routers (which is just about everyone with…

Vulnerable Plugins Six disclosures since last week, with three issues still unfixed. View this week's vulnerable plugins list. WordPress Security New WordFence released an interesting report on Tuesday that showcased an attack whereby hackers used compromised WordPress.com sites to install backdoor plugins on self-hosted WordPress sites via jetpack's remote management capabilities.  If you use a…

Vulnerable Plugins Eleven disclosures since last week, with one critical unfixed. KingComposer has an Arbitrary File Upload vulnerability in its current version. You should remove the plugin until the author has fixed the issue. View this week's vulnerable plugins list. Other WordPress News Version 4.9.6 of WordPress was released yesterday.  While many (myself included) assumed this was…

Vulnerable Plugins Three disclosures since last week, with all three issues unfixed.  WP Google Drive has not been updated in six years and should be replaced, if you haven't already. View this week's vulnerable plugins list. Other WordPress News The release candidate for version 4.9.6 is now available.  The tentative official release date has been moved…

Vulnerable Plugins Two disclosures since last week, with zero issues unfixed. View this week's vulnerable plugins list. Other WordPress News Version 4.9.6 is now in beta, with a tentative official release date of May 15th.  4.9.6 contains 10 bug fixes, and 34 features/enhancements, most of which revolve around privacy and personal data tools to assist…

Vulnerable Plugins Twelve disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Other Security News Cross-Site Request Forgery vulnerability disclosed in phpMyAdmin 4.8.0 and earlier TPLink Router TLWR740N Remote Code Execution vulnerability disclosed Unvalidated Redirect in Shibboleth component of Blackboard Learn  

Vulnerable Plugins Just two disclosures since last week, with one issue unfixed. View this week's vulnerable plugins list.  

Vulnerable Plugins Nine disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Apologies for not getting this report out on Friday. I had other issues pop up that required my attention and didn't leave me with enough time to complete the report on Friday.  Speaking of which, my responsibilities at…

Vulnerable Plugins Three disclosures since last week, with one issue unfixed. View this week's vulnerable plugins list. Other WordPress News As previously mentioned, v4.9.5 was released on April 3rd.  While it was originally announced as a maintenance release, it does contain three security fixes.   If you haven't already, you should get the 4.9.5 update into…

Vulnerable Plugins Seven disclosures since last week, with one issue unfixed. View this week's vulnerable plugins list. Other WordPress News As noted last week, WordPress version 4.9.5 is scheduled for release on April 3rd. Originally, it was to include administrative dashboard call-outs to try-out Gutenberg, but those have now been removed: the Try Gutenberg callout will ultimately not land…

Vulnerable Plugins Three disclosures since last week, with two issues unfixed. View this week's vulnerable plugins list. Other WordPress News Version 4.9.5 of WordPress is now in beta and has been scheduled for release on April 3rd. While 4.9.5 will be a maintenance release, it will interestingly include administrative dashboard call-outs to try-out Gutenberg (h/t…

Vulnerable Plugins Thirteen disclosures since last week, with four issues unfixed. View this week's vulnerable plugins list. As with previous weeks, there are a few fairly popular plugins in this week's list: Duplicator - WordPress Migration Plugin, WP Job Manager (both have updates available), Limit Login Attempts Reloaded, and Limit Login Attempts (no updates available).  Make sure…

In addition to this blog post, you can hear more about NC State's GutenDay on the WPCampus Podcast! We were vaguely aware of Gutenberg all through 2017. Our team in NC State's central IT unit was kind-of listening to the Gutenberg chatter, and we had tested it enough to know we didn't want to think…

Vulnerable Plugins Five disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Please note there are a couple of fairly popular plugins in this week's list: iThemes Security, and WP All Import.  Make sure to get these updates into your change management cycle as soon as possible.

Vulnerable Plugins Seven disclosures since last week, with only one issue unfixed. View this week's vulnerable plugins list. Please note there are a couple of fairly popular plugins in this week's list: MainWP-Child, and WP Fastest Cache.  Make sure to get these updates into your change management cycle as soon as possible. Other Security News…

Vulnerable Plugins Nine disclosures since last week, with all issues fixed! View this week's vulnerable plugins list. Please note there are a couple of fairly popular plugins in this week's list: MailChimp for WordPress, WooCommerce, and Ninja Forms.  Make sure to get these updates into your change management cycle as soon as possible.

Vulnerable Plugins Eighteen disclosures over the last two weeks, with nine issues unfixed. View the last two weeks' vulnerable plugins list. Other Security News Way back in 2014, Google announced its plans to push for "HTTPS everywhere".  In 2015, they began downranking non-https links in favor of https links.   Last October, starting with the release…

As I mentioned on Friday, WordPress version 4.9.3 was released as scheduled Monday mid-day. If you have auto-updates enabled, you might have been surprised to see another WordPress update (4.9.4) come through Tuesday morning around 10am (CST). It seems there was a severe bug in 4.9.3 that caused the auto update feature to break in some sites…

Vulnerable Plugins Seven disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Other WordPress News WordPress core announced on Tuesday version 4.9.3 will be delayed until Monday, February 5th.  So now you know what you're doing on Monday. ;) Other Security News Also on Tuesday, Cisco disclosed a vulnerability in the…

Vulnerable Plugins Eighteen disclosures since last week, with five issues unfixed. Plus two disclosures (Ninja Popups) that I missed last week. View this week's vulnerable plugins list. WPCampus Online Don't forget: the WPCampus Online conference is this Tuesday, January 30 starting at 9:00 A.M. CST.

Vulnerable Plugins Six disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. WordPress Security News Version 4.9.2 was released on Tuesday. It is a security and maintenance release and addresses a Cross-Site Scripting vulnerability and 21 other bugs.  If you do not have auto-updates enabled, definitely get the update into…

Vulnerable Plugins Keep it short and sweet this week: twenty-seven disclosures since last week, with seven issues unfixed. View this week's vulnerable plugins list.

Vulnerable Plugins Ten disclosures over the last two weeks, with four issues unfixed. View this week's vulnerable plugins list. I hope everyone had a wonderful and relaxing holiday break. Unfortunately, vulnerabilities and disclosures did not rest. Two critical situations were disclosed during that time: an Unauthenticated Arbitrary File Upload discovered in the LearnDash LMS plugin by…

Vulnerable Plugins Twenty-six disclosures this week, with ten issues unfixed. View this week's vulnerable plugins list. The most concerning disclosure this week was the discovery by Wordfence that the plugin Captcha (300K installs) contained backdoor code.  In looking through the repository, it appears the code was introduced in v4.3.6 of the plugin.  Version 4.4.5 was released earlier…

Vulnerable Plugins Seven disclosures this week, with five issues unfixed. View this week's vulnerable plugins list. Other Security News I've discussed the DorkBot service from UT Austin a couple of times now. I recently had the pleasure to chat with Andrew Scheifele (who had a hand in the DorkBot project) about how the service has…

Vulnerable Plugins Six disclosures this week, with two issues unfixed. View this week's vulnerable plugins list.

Vulnerable Plugins Fifteen disclosures over the last two weeks, with eleven issues unfixed. View this week's vulnerable plugins list. I hope everyone in the State's had a great Thanksgiving last week. Many of you this week, hopefully, are attending WordCamp US  in beautiful Nashville. If you are, please be sure to say "hello" to our colleagues…

Vulnerable Plugins Twenty-two disclosures this week, with ten issues unfixed. View this week's vulnerable plugins list. The critical updates you should be aware of from this week's list are in Formidable Forms, discovered by Klikki Oy, and in WP Support Plus Responsive Ticket System, discovered by Robert Mathews. If you are using either of these plugins, please make…

Vulnerable Plugins Six disclosures this week, with three issues unfixed. View this week's vulnerable plugins list. The most interesting disclosure this week, in my opinion, is that for the Animated Weather Widget plugin reported by WordFence.  While the plugin itself did not contain a vulnerability, the plugin generated an iframe that contained content from weatherfor.us…

Vulnerable Plugins Nine disclosures this week, with one issue unfixed, one possibly unfixed (see the notes section in the spreadsheet). View this week's vulnerable plugins list. The largest disclosure this week was definitely the SQL Injection vulnerability patched in v4.8.3 of core. The patch even got its own haiku (courtesy of pagely.com): WordPress Halloween. We…

Version 4.8.3 was just released moments ago. It address a SQL Injection issue discovered by Anthony Ferrara‏  https://twitter.com/ircmaxell/status/923662170092638208 Confirmation from Anthony  https://twitter.com/ircmaxell/status/925366959612538882 WordPress post concerning the update: https://make.wordpress.org/core/2017/10/31/changed-behaviour-of-esc_sql-in-wordpress-4-8-3/ and https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/ If you have auto-update enabled you should receive the update automatically this morning.  If you do not have auto-update enabled, please update ASAP.

Vulnerable Plugins Nine disclosures this week, with five issues unfixed. View this week's vulnerable plugins list. The largest disclosure this week was most likely the SQL Injection combined with Object Injection vulnerability in the Contact Form for WordPress - Ultimate Form Builder Lite plugin disclosed by Wordfence. At the time of discovery, the vulnerability was…

Vulnerable Plugins Seventeen disclosures over the last two weeks, with six issues unfixed. View this week's vulnerable plugins list. Sorry I wasn't able to get last week's list out on time.  As I mentioned previously, I was at HighEdWeb all last week and have spent most of the last week trying to catch up from…

Vulnerable Plugins Fourteen disclosures this week, with six issues unfixed, with three of those critical. View this week's vulnerable plugins list. The big news this last week, at least in terms of coverage, was the disclosure by Wordfence of three plugins vulnerable to Object Injection vulnerabilities.  Luckily, all three plugins have been fixed with updates…

Vulnerable Plugins Eleven disclosures this week, with two issues unfixed, both critical. Both have been removed from the public repository. View this week's vulnerable plugins list. As a point of clarification, since there seems to be some confusion: I am not the discoverer of the vulnerabilities listed in the spreadsheet.  There is a column labeled…

Vulnerable Plugins Fourteen disclosures this week, with five issues unfixed, and one that is critical. View this week's vulnerable plugins list. The critical disclosure this week is an Arbitrary File Upload vulnerability in the plugin All Post Contact Form.  It appears that the plugin doesn't do any checking on the file type that is being…

Vulnerable Plugins Eight disclosures this week, with two issues unfixed, and two where I'm not sure. View this week's vulnerable plugins list. The two I'm unsure of this week are with iTheme's Backupbuddy plugin.  Backupbuddy is a paid plugin, so I do not have access to the source files.  The last changelog mention I can…

Vulnerable Plugins Seventeen disclosures this week, with eight issues unfixed. View this week's vulnerable plugins list. Other Security News The big disclosure this week was the breach at Equifax. If you haven't head about it yet, I strongly recommend you read the write up by Brian Krebs over at krebsonsecurity.com. The TL;DR is Equifax, one…

Vulnerable Plugins Ten disclosures this week, with three issues unfixed. View this week's vulnerable plugin list. The disclosure with the most visibility this week was in WooCommerce Product Vendors, where researchers from SiteLock discovered an unauthenticated, reflected Cross-Site Scripting vulnerability.  Automattic was quick to patch the vulnerability and promptly released version 2.0.40. Also disclosed this…

Vulnerable Plugins/Themes Seven disclosures this week, with zero issues unfixed. YAY! View week's vulnerable plugin list.   This week, let's look at the Authenticated, Unauthorized Information Disclosure vulnerability in version 1.1.0 of Advanced Contact Form 7 DB plugin, as you may be asking how there can be a problem if someone is already authenticated.  Authentication…

Vulnerable Plugins/Themes Eleven disclosures this week, with three issues unfixed. View week's vulnerable plugin list. Going to highlight a couple from this week. The first is the discovery by researcher Lenon Leite who discovered a SQL Injection vulnerability in the plugin Link Library.  Just like with last week's SQL Injection examples, this vulnerability requires an authenticated user…

Vulnerable Plugins/Themes Eleven disclosures this week, with two issues unfixed. View this week's vulnerable plugin list. We have one theme joining the list this week: GamePlan - Event and Gym Fitness by cactusthemes.com.  I mention it specifically because while I doubt most of us are using a gym-based theme (though possibly for a student rec…

Vulnerable Plugins Six disclosures this week, with three issues unfixed. View this week’s vulnerable plugin list. One of the disclosures is actually from last week that I intended to include but forgot.  I want to bring attention to it because it highlights how vulnerabilities can, and often are, stacked.  Wordfence recently wrote about how attackers…

Vulnerable Plugins It was a busy week while I was away.  Twenty disclosures, with eleven issues unfixed.  In concerns to both Formcraft Form Builder, and Ultimate Affiliate Pro, since they are paid plugins, I do not have access to the source code in order to verify the disclosures.  In addition, I'm assuming the vulnerabilities still…

Nope, today is not friday (sorry). I'm going to be out-of-town tomorrow so I'm doing this week's report a day early.  I'll also be out next week; as such, there will be no report next week on the 21st.   If there are numerous disclosures while I'm out, I'll do a report shortly after I…

Vulnerable Plugins Only four plugins with disclosed vulnerabilities this week, none of which remain unpatched! That's the fewest number of disclosures in a week since I started doing this report.  You'll notice WP Statistics made a repeat appearance after being on last week's report for a SQL Injection vulnerability.  This week's appearance is due to an Authenticated…

Vulnerable Plugins Eight plugins with disclosed vulnerabilities this week, five of which remain unpatched. The most serious is FormCraft which contains two unfixed SQL Injection vulnerabilities.  The packetstorm post mentions the vulnerability being in "FormCraft Basic" but that the plugin directory for google dorking is "formcraft". The version in the public repository definitely contains the vulnerability,…

Vulnerable Plugins This week's list is probably one of the shortest since I started doing these reports: only 6 plugins, with 3 having unfixed vulnerabilities.  Unfortunately, one of them is a repeat offender: Photo Gallery by WD, which made an appearance in the May 5, 2017 report for a SQL Injection vulnerability.  This time around,…

Introduction The weekly list is a collection of plugins and/or themes that have had vulnerabilities disclosed within the last week. I've historically created these weekly vulnerable plugin reports for the WordPress admins at the University of Missouri campus as a way to help them identify plugins and themes that need to be updated quickly. I began…