Skip to content

The WPCampus Community Blog

About the blog

The WPCampus Community Blog is the place for all primary and essential announcements related to our organization and community's growth.

If you're interested in helping plan our community, participate in surveys or looking for leadership and volunteer opportunities, visit the WPCampus Planning Blog.

Subscribe to updates

This mailing list sends an automated email that lets you know when we post to the WPCampus Community Blog.

Subscribe to Community Blog updates

Blog posts

Board of Directors monthly meeting: 15 March 2024

The next monthly meeting of the WPCampus Board of Directors is 15 March 2024 at 3:30pm (Eastern). These meetings are held on the 3rd Friday of each month, and are open to the public. All are welcome to join us! There will be time on the agenda for community Q&A or feedback. The meeting is…

Board of Directors monthly meeting: 19 January 2024

The next monthly meeting of the WPCampus Board of Directors is 19 January 2024 at 3:30pm (Eastern). These meetings are held on the 3rd Friday of each month, and are open to the public. All are welcome to join us! There will be time on the agenda for community Q&A or feedback. The meeting is…

Board of Directors Meeting Minutes: July 21, 2023

Meeting date/time: Friday, July 21, 2023 at 3:30pm Eastern Attendees: L. Danielle Baldwin, Ed Beck, Rachel Cherry, Kiera Howe, Dash Kees, Reed Piernock, Eric Sembrat Invited: L. Danielle Baldwin, Ed Beck, Rachel Cherry, Phil Crumm, Dash Kees, Kiera Howe, Reed Piernock, Eric Sembrat Goals Follow up on the 2023 conference. Charter the 2024 conference location…

Board of Directors Meeting Minutes: June 16, 2023

Meeting date/time: Friday, June 16, 2023 at 3:30pm Eastern Attendees: Ed Beck, Rachel Cherry, Kiera Howe, Dash Kees, Eric Sembrat Invited: L. Danielle Baldwin, Ed Beck, Rachel Cherry, Phil Crumm, Dash Kees, Kiera Howe, Reed Piernock, Eric Sembrat Goals Discuss the Board’s decision regarding the organization’s disconnection with Pantheon, and how to create and announce…

Board of Directors Meeting Minutes: May 19, 2023

Meeting date/time: Friday, May 19, 2023 at 3:30pm Eastern Attendees: Danielle Baldwin, Ed Beck, Rachel Cherry, Phil Crumm, Kiera Howe, Dash Kees, Reed Piernock, Eric Sembrat Guests: Jose Debuchy, Joni Halabi Invited: L. Danielle Baldwin, Ed Beck, Rachel Cherry, Phil Crumm, Dash Kees, Kiera Howe, Reed Piernock, Eric Sembrat Goals Review the Code of Conduct.…

Board of Directors Meeting Minutes: April 21, 2023

Meeting date/time: Friday, March 17, 2023 at 3:30pm Eastern Attendees: Ed Beck, Rachel Cherry, Phil Crumm, Kiera Howe, Dash Kees, Reed Piernock, Eric Sembrat Invited: L. Danielle Baldwin, Ed Beck, Rachel Cherry, Phil Crumm, Dash Kees, Kiera Howe, Reed Piernock, Eric Sembrat Goals Address Pantheon's current statement regarding their hosting of hateful sites, and create…

Board of Directors Meeting Minutes: March 17, 2023

Meeting date/time: Friday, March 17, 2023 at 3:30pm Eastern Attendees: Ed Beck, Rachel Cherry, Phil Crumm, Kiera Howe, Dash Kees, Reed Piernock, Eric Sembrat Invited: L. Danielle Baldwin, Ed Beck, Rachel Cherry, Phil Crumm, Dash Kees, Kiera Howe, Reed Piernock, Eric Sembrat Goals Approve the final charter for WPCampus 2023 conference. Discuss the addition of…

WPCampus is searching for a host for the 2024 Conference

Interested in bringing the annual WPCampus conference to your campus this summer? Let’s talk! WPCampus is inviting interested schools to apply to host the 2024 annual WPCampus conference. WPCampus is a community of web professionals, educators, and people dedicated to the confluence of WordPress and accessibility in higher education. The WPCampus annual conference is a…

Board of Directors monthly meeting: 18 August 2023

The next monthly meeting of the WPCampus Board of Directors is 18 August 2023 at 3:30pm (Eastern). These meetings are held on the 3rd Friday of each month, and are open to the public. All are welcome to join us! There will be time on the agenda for community Q&A or feedback. The meeting is…

Board of Directors monthly meeting: 21 July 2023

The next monthly meeting of the WPCampus Board of Directors is 21 July 2023 at 3:30pm (Eastern). These meetings are held on the 3rd Friday of each month, and are open to the public. All are welcome to join us! There will be time on the agenda for community Q&A or feedback. The meeting is…

WPCampus Announces Termination of Partnership with Pantheon

In light of Pantheon's decision to host the web presence of hate groups, the WPCampus Board of Directors has unanimously voted to terminate WPCampus' partnership with Pantheon. WPCampus and Pantheon have had a longstanding relationship since our formation, with their sponsoring of WPCampus events, and with donating hosting services for our web presence. These contributions…

Announcing the WPCampus 2023 accessibility keynote with Anna Cook

The WPCampus 2023 planning committee is thrilled to announce that Anna Cook, a Senior Inclusive Designer at Microsoft, will join us in New Orleans to present the first-ever keynote presentation at a WPCampus conference. At WPCampus, our organization (and conference) has three areas of focus: WordPress, accessibility, and higher education. But accessibility is much more…

Board of Directors monthly meeting: 19 May 2023

The next monthly meeting of the WPCampus Board of Directors is 19 May 2023 at 3:30pm (Eastern). These meetings are held on the 3rd Friday of each month, and are open to the public. All are welcome to join us! There will be time on the agenda for community Q&A or feedback. The meeting is…

Announcing the WPCampus 2023 schedule

Early bird pricing ends on Monday, May 8 We know how challenging it can be to deal with budgets in a higher education environment. Since we are just now releasing the schedule, we are granting one more business day to grab early bird pricing. Pro tip: use the $50 you save on the general admission…

Introducing WPCampus’ Inaugural Board of Directors

In April 2022, Rachel Cherry announced she was stepping down as the Director of WPCampus. WPCampus formed a community working group to design, implement, and lead our community transition toward a new governance model. The goal of the WPCampus Leadership Transition working group was to define and implement a new baseline leadership model for the…

Board of Directors Meeting Minutes: February 10, 2023

Meeting date/time: Friday, February 10, 2023 at 1pm Eastern Attendees: Dash Kees, Kiera Howe, Reed Piernock, Eric Sembrat Invited: L. Danielle Baldwin, Ed Beck, Rachel Cherry, Phil Crumm, Dash Kees, Kiera Howe, Reed Piernock, Eric Sembrat Goals Charter the committee for the 2023 conference. Schedule monthly meetings. Finalize publication procedure for board meeting minutes. Establish…

Registration for WPCampus 2023 will open February 22, 2023

The WPCampus community is thrilled to announce that registration for WPCampus 2023 will open next week on Wednesday, February 22, 2023. And registration won’t be the only thing up for grabs: you will also be able to reserve your on-campus lodging, respond to our call for presenters, and become a sponsor. Visit the WPCampus 2023…

Seeking coordinators for the WPCampus 2023 planning committee

Hello, friends! WPCampus has been patiently waiting to host an event in New Orleans, and we are thrilled to head to Tulane University in New Orleans (USA) on July 12-14, 2023 (Wednesday – Friday) for WPCampus 2023, our annual (sometimes online, sometimes in-person) summer conference. WPCampus 2023 will be our fourth attempt to host an…

Opening nominations for WPCampus Board of Directors

In April, Rachel Cherry announced she was stepping down as the Director of WPCampus. Since the announcement, WPCampus formed a community working group to design, implement, and lead our community transition toward a new governance model. Our community is so grateful for all the time and energy donated by the transition working group. This group…

WPCampus 2021 Online recordings are now available

The video recordings from the WPCampus 2021 Online presentations are now available and accessible via the event schedule. All videos are captioned and will soon include full transcripts. Planning ahead for WPCampus 2022 COVID-pending, we hope we will be able to gather in person at Tulane University in New Orleans, Louisiana for WPCampus 2022. The event…

Submit a matching donation and help WPCampus support others

One of our WPCampus traditions is to use the “previously allocated to swag” portion of our event planning budget to support a nonprofit organization. Swag is fun, but it can be wasteful. We choose to use those funds to help people in and outside of our community. Traditionally, we sponsor a fundraising campaign to support…

Announcing the WPCampus 2021 schedule, opening registration

The WPCampus community is thrilled to announce the schedule for WPCampus 2021 Online and open registration. The event will take place September 21-22, 2021. Register for WPCampus 2021 Online What's different for WPCampus 2021 Online We had so many outstanding proposals for this year's online event that we had to add a third track and add a second round…

Call for WPCampus 2021 Online Volunteers and Sponsors

ICYMI: The WPCampus community has announced our 2021 conference, WPCampus 2021 Online, in an online format on September 21-22 (Tuesday-Wednesday). Here are a few updates regarding the event, including: Our call for volunteers Our call for sponsors Reminder about our call for proposals (ends May 26) Call for WPCampus 2021 volunteers WPCampus is 100% powered by volunteers and…

WPCampus 2021 will be online September 21-22, call for proposals open

The WPCampus community is excited to announce we will present our 2021 conference, WPCampus 2021 Online, in an online format on September 21-22 (Tuesday-Wednesday). About the event WPCampus 2021 Online is a free online conference for the WPCampus community, a gathering of web professionals, educators, and people dedicated to the confluence of accessibility and WordPress…

Participate in the WPCampus 2021 Survey

Due to COVID, and the ongoing instability surrounding in-person events, WPCampus 2021 will be presented in an online format. Not being able to spend time together in-person (again) is rough, but we hope to be able to meet in New Orleans for WPCampus 2022. Besides, being online means greater access and increased opportunities for all…

Announcing the WPCampus Planning Blog

Since the beginning of WPCampus, a key element of our community's success and growth has been ensuring all members have the chance to be heard when it comes to planning and decision-making. It is one of my favorite aspects of how we get things done here at WPCampus. However, after five years of the same…

Final numbers for the WPCampus 2020 Online donation campaign

One of our WPCampus traditions is to use the “previously allocated to swag” portion of our event income to support a nonprofit organization. Traditionally, we sponsor a fundraising campaign to support a local organization. For WPCampus 2019, we raised $3,000 for Free Geek in Portland, Oregon. For WPCampus 2020 Online, we decided to recognize and support…

Registration is open for WPCampus 2020 Online

The WPCampus 2020 Online planning committee is proud to announce the WPCampus 2020 Online schedule and open registration. How to register for the event WPCampus 2020 Online is a free event thanks to the generous support of our sponsors. You can register for WPCampus 2020 Online on the event website. Registration is required to access…

Donate and help WPCampus support humanity

One of our WPCampus traditions is to use the "previously allocated to swag" portion of our event income to support a nonprofit organization. Swag is fun, but it can be wasteful. We choose to use those funds to help people in and outside of our community. Traditionally, we sponsor a fundraising campaign to support a…

WPCampus 2020 Online to change dates to July 29-31

On April 23, the Drupal Association announced “the first-ever virtual DrupalCon” which will take place July 14-17, 2020, the same time period as WPCampus 2020 Online. We felt there is enough crossover in our community to at least consider moving our dates so community members can attend both events. We surveyed the community and the…

WPCampus 2020 to go online, meet in New Orleans for 2021

The WPCampus community decided to pivot our 2020 in-person event to an online conference and re-scheduled to convene in New Orleans, Louisiana, for WPCampus 2021. WPCampus 2020 Online will take place July 15-17, 2020. The three-day online conference will include a variety of formats, including general lectures, lightning talks, longer-form sessions like workshops, and more.…

Status of WPCampus 2020 conference survey

The impact of COVID-19 is being felt around the world. While WPCampus 2020 is still four months away, the effects of COVID-19 are rapidly evolving, and the emotional and physical health of our members is our primary concern. We also strive to be positive global citizens. Doing our part to stop the spread of the…

Help WPCampus redesign our website

A few months ago, The WPCampus community established a redesign working group with the goal of redesigning our community's main website: https://wpcampus.org. It's been an exciting project! The amazing group has been hard at work to create a new design and establish a decoupled infrastructure using WordPress and Gatsby, a static site generator. Complete a…

Call for speakers open for WPCampus 2020

The call for WPCampus 2020 session proposals is open! Join us in New Orleans for our fifth-annual conference and share all of the incredible things you're doing to advance Higher Education through WordPress and Accessibility. Apply to speak at WPCampus 2020 What is WPCampus 2020? WPCampus 2020 is a three-day conference event filled with sessions, networking,…

Save the date for WPCampus 2020 speaker proposals

The WPCampus community is excited to announce that our WPCampus 2020 call for proposals will be opening next week! We’re looking forward to another year of wonderful ideas, demonstrations, brainstorming, and benchmarking. What is WPCampus 2020? WPCampus 2020 is a three-day conference event filled with sessions, networking and social events. It will cover a variety…

Save the date for WPCampus 2020 in New Orleans

The WPCampus community is excited to announce the dates for our 2020 in-person conference. When and where Join us July 15-17, 2020 for three days of learning, sharing, and networking on the beautiful campus of Tulane University in New Orleans, Louisiana! We're grateful to the team at Tulane University IT for sponsoring our event and…

Vulnerable Plugins report for the week of September 13th, 2019

29 vulnerabilities this week, with 5 needing a fix (with some, possibly,  on the way). The first 3 vulnerabilities in the list are confirmations of possible vulnerabilities from last week. Search Exclude returns as last week's fix wasn't sufficient, LMS / VLE plugin LifterLMS has a serious vulnerability, Slimstat analytics returns for the third time…

Vulnerable Plugins report for the week of September 6th, 2019

26 vulnerabilities this week, with 7 needing a fix (with some, possibly,  on the way). Formidable Forms appears for the fourth time in a month, so you may wish to look elsewhere. Landing Pages by SwiftCloud is still on the directory (but closed), but the latest commit has deleted everything for unknown security reasons. In…

Vulnerable Plugins report for the week of August 30th, 2019

27 vulnerabilities this week, with 4 unfixed, but 1 being worked on. WooCommerce PayU India (PayUmoney – PayUbiz) , Instamojo for WooCommerce and DW Mega Menu are all closed and show no sign of a fix - Ovic Addon Toolkit is closed, but is being worked on. It is an arbitrary file deletion vulnerability, so…

Vulnerable WordPress Plugins Report for the Week of August 23, 2019

Vulnerable Plugins There are eighteen issues this week, with two unfixed, and five where fixes have been committed but aren't showing as available yet in the public repository.  The most critical this week are a Privilege Escalation vulnerability in WP Front End Profile (fix available), a CSV Injection vulnerability in Import Export WordPress Users (fix…

Vulnerable WordPress Plugins Report for the Week of August 16, 2019

Vulnerable Plugins There are eighteen issues this week, with eight unfixed.  The most critical this week is an Arbitrary File Upload vulnerability via Cross-Site Request Forgery vulnerability in the Maintenance plugin. No fix is available as of this publishing date, and the plugin has been closed in the public repository. View this week's vulnerable plugins…

Vulnerable WordPress Plugins Report for the Week of August 9, 2019

Vulnerable Plugins There are eighteen issues this week, with three unfixed.  The most critical this week are Privilege Escalation vulnerabilities via Unauthenticated Option Update vulnerabilities in the Donations, Booking, Learning Courses, and Restaurant Reservations plugins (fixes available for all). View this week's vulnerable plugins list. Other News I'm back! Huge thank you goes out to…

Vulnerable Plugins report for the week of July 26th, 2019

27 vulnerabilities this week (which means so far in july we've had 105 issues), with 4 unfixed. It's bad week for cache plugins, with WP Super Cache, WP fastest cache and breeze all having fixes. View this week’s vulnerable plugins list The WPCampus 2019 conference is currently happening! Check out the schedule for lots of…

WPCampus 2019 sessions will be live streamed for free

Registration for WPCampus 2019 may be closed but no worries! You can still attend many of our amazing sessions virtually. With the exception of workshops, sessions from WPCampus 2019 will be live streamed with captioning, thanks to the generous support of our partners at Pantheon. Visit the watch page on Friday, July 26 and Saturday,…

Vulnerable WordPress Plugins Report for the Week of July 12, 2019

Vulnerable Plugins There are twenty nine issues this week, with only one unfixed.  The most critical this week are Authenticated (low privileged user) Arbitrary Options Update vulnerability in the One Click SSL plugin (fix available) and in the WPTF Hybrid Composer plugin (fix available), and multiple critical issues in the File Manager (by mndpsingh287) plugin…

Vulnerable WordPress Plugins Report for the Week of July 5, 2019

Vulnerable Plugins There are twenty four issues this week, with five unfixed.  The most critical this week is an unfixed Authenticated Arbitrary File Upload vulnerability with the MapsSVG Lite plugin and an unfixed Authenticate Remote Code Execution vulnerability in the Newsletter plugin. Both plugins have been closed in the public plugin repository. In addition, there…

Vulnerable WordPress Plugins Report for the Week of June 28, 2019

Vulnerable Plugins There are thirty four issues this week, with four unfixed.  The most critical this week is an unfixed Arbitrary Password Reset vulnerability with the Ultimate Members plugin.  Since this is a premium plugin, I do not have access to the source to verify.  According to the disclosure, the vendor has stated the fix…

Vulnerable WordPress Plugins Report for the Week of June 21, 2019

Vulnerable Plugins There are twenty issues this week, with three unfixed.  The most critical this week are an Arbitrary Settings Update vulnerability in Real Estate Manager (unfixed), a Cross-Site Request Forgery vulnerability that can lead to an Arbitrary File Upload in LionScripts: IP Blocker Lite (fix available), and a Cross-Site Request Forgery vulnerability that can…

Vulnerable WordPress Plugins Report for the Week of June 14, 2019

Vulnerable Plugins There are nineteen issues this week, with five unfixed.  The most critical this week are two Arbitrary File Upload vulnerabilities in Finale WooCommerce Sale Countdown (fix available) and in LionScripts IP Blocker Lite (unfixed, remove immediately) plugins, an Authenticated Arbitrary File Upload vulnerability in Shipping Servientrega Woocommerce (unfixed, remove immediately), and an Authenticated…

Vulnerable WordPress Plugins Report for the Week of May 24, 2019

Vulnerable Plugins There are fifteen issues this week, with five unfixed.  The most critical this week is in WPGraphQL which includes Create administrative users Post comments on articles bypassing article restrictions and global moderation Retrieve content of password-protected posts/articles/pages Retrieve full list of registered users in the platform Retrieve full list of media, comments, themes…

Vulnerable WordPress Plugins Report for the Week of May 17, 2019

Vulnerable Plugins There are nineteen issues this week, with five unfixed.  The most critical this week is the Sensitive Information Disclosure, Arbitrary File Deletion, and multiple Cross-Site Scripting vulnerabilities in Ultimate Member discovered by Sucri earlier this week. There was also a Local File Inclusion vulnerability disclosed in Photo Gallery by 10Web that does not…

Vulnerable WordPress Plugins Report for the Week of April 26, 2019

Vulnerable Plugins There are nine issues this week, with five unfixed.  The two most critical are an Arbitrary File Upload vulnerability in the WooCommerce Checkout Manager plugin (closed in public repository) and an Authenticated Arbitrary Options Update in Free Adwords Campaigner plugin (also closed in the public repository). You should remove both plugins immediately until…

Vulnerable WordPress Plugins Report for the Week of April 5, 2019

Vulnerable Plugins There are twenty-two items on the list this week, with six unfixed. The issue with the most visibility this week by far, was the controversy surrounding the Pipdig Power Pack (P3) plugin.  If you're not familiar with what happened, I would suggest reading the write-up by WordFence and an extremely thorough write-up by…

Announcing WPCampus 2019. Call for Proposals Open!

We’re excited to officially announce WPCampus 2019! Join us July 25-27 at Lewis & Clark College in Portland, Oregon. About WPCampus 2019 WPCampus is a three-day conference event filled with sessions, networking and social events. It will cover a variety of topics, focused on accessibility and WordPress in higher education. Visit the About page to…

Vulnerable WordPress Plugins Report for the Week of March 29, 2019

Vulnerable Plugins There are seventeen items on the list this week, with twelve unfixed. View this week's vulnerable plugins list. Other Security News PuTTY released version 0.71 which addresses multiple security issues. PuTTY is often bundled with other software packages on Windows, so if you work on a Windows machine, double-check your PuTTY client version…

Vulnerable WordPress Plugins Report for the Week of March 22, 2019

Vulnerable Plugins There are eleven items on the list this week, with three unfixed. The most critical this week are the Unauthenticated Arbitrary wp_options import vulnerability in Easy WP SMTP, and the Unauthenticated SQL Injection vulnerability in Better Search both of which have been fixed in their most recent updates. View this week's vulnerable plugins…

WPCampus 2019 Call for Proposals: Save the Date!

Hello WPCampus friends! We’re excited to announce that our Call for Proposals for this year’s conference will be opening soon! We’re looking forward to another year of wonderful ideas, demonstrations, brainstorming, and benchmarking. Session Topics As in past years, we’re looking for a variety of topics on anything that might bring value to our community.…

Vulnerable WordPress Plugins Report for the Week of March 15, 2019

Vulnerable Plugins There are eleven items on the list this week, with three unfixed. The most critical this week are the Sensitive Information Disclosure/Authenticated Arbitrary File Read vulnerability in Caldera Forms Pro, and the Privilege Escalation vulnerability in SiteGround Optimizer. Both issues were discovered by Sucuri. View this week's vulnerable plugins list. Other WordPress Security…

Vulnerable WordPress Plugins Report for the Weeks of February 22 through March 1, 2019

Vulnerable Plugins Seventeen disclosures since last week, with four issues unfixed. View this week's vulnerable plugins list. We're likely to see many more plugins updated over the next week as Freemius, a freemium framework used in thousands of plugins and themes, recently patched an authenticated options updated vulnerability. They attempted to give developers some time…

Vulnerable WordPress Plugins Report for the Weeks of January 5, 2019 through January 18, 2019

Vulnerable Plugins Fifteen disclosures over the last two weeks, with twelve issues unfixed. View this week's vulnerable plugins list. The most severe issue from this report is a Confidential Information Leakage vulnerability with the Social Network Tab plugin that was found to be storing twitter account access tokens and secrets in the source code of the…

Gutenberg Accessibility Audit Vendor Selection

WPCampus is excited to announce our selection of Tenon LLC to conduct an accessibility audit of the Gutenberg content editor. Founded by Karl Groves, Tenon is a leader in the accessibility testing field. We look forward to working with the team at Tenon over the coming weeks. Thank you to all of the companies who…

Vulnerable WordPress Plugins Report for the Week of December 14, 2018

Vulnerable Plugins Thirteen disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Other WordPress Security News Version 5.0.1 was released earlier this week and corrects seven issues. If you have not upgraded to version 5.0 yet, fixes for all version back to 3.7 are available. Other Security News As a…

Vulnerable WordPress Plugins Report for the Week of December 7, 2018

Vulnerable Plugins Fifteen disclosures since last week, with zero issues unfixed. View this week's vulnerable plugins list. Four issues are critical and should be updated immediately: Redirection for versions 3.6.2 and earlier has a potential remote code execution vulnerability Toolset Type for versions 2.3.3 and earlier has a privilege escalation vulnerability WooCommerce for versions 3.4.5…

Fundraising for WPCampus Gutenberg Accessibility Audit

Update to this post: Our vendor has been selected and our final fundraising goal has been set at $31,200. You can learn more about the entire project by attending The WPCampus Gutenberg Accessibility Audit session at WPCampus Online 2019. Last month, WPCampus released a request for proposals to conduct an accessibility audit of the WordPress…

Vulnerable WordPress Plugins Report for the Weeks of October 20 through November 2, 2018

Vulnerable Plugins There were eight disclosures over the last two weeks, with two issues unfixed, one unknown. The disclosures that will affect the most people are the stored cross-site scripting vulnerabilities in Elegant Themes' Divi Builder plugin, Divi theme and Extra theme. If you're using those products be sure to get the latest updates from Elegant…

WPCampus Releases Gutenberg Accessibility Audit RFP

WPCampus has released a request for proposals seeking an accessibility audit of the WordPress "Gutenberg" editor. Our organization is sensitive to the legal requirements set by Section 508 of the Rehabilitation Act. The recent 508 refresh brought these requirements in line with WCAG 2.0 level AA, an industry standard that helps ensure accessibility. WCAG 2.0…

Vulnerable WordPress Plugins Report for the Weeks of October 6 through October 19, 2018

Vulnerable Plugins There were ten disclosures over the last two weeks, with three issues unfixed. The most serious is an arbitrary file upload vulnerability in the csv2wpec-coupon plugin, which is related to the recently disclosed vulnerability in the Blueimp JQuery File Upload Plugin package. However, there are less than 10 sites with the csv2wpec-coupon so it's unlikely…

Vulnerable WordPress Plugins Report for the Week of October 5, 2018

Vulnerable Plugins Seven disclosures since last week, with four issues unfixed. View this week's vulnerable plugins list. Other WordPress News Earlier this week, the WordPress core team announced the release date for WordPress version 5.0: November 19, 2018. This means the 4.9.9 release has been shelved unless the core team is unable to release 5.0 before the…

Vulnerable WordPress Plugins Report for the Week of September 28, 2018

Vulnerable Plugins Eight disclosures since last week, with two issues unfixed, and two unknown. View this week's vulnerable plugins list. Other WordPress Security News There were several reports this week that the United Nation's WordPress site was leaking "thousands or resumes" (The Register has since updated their story after I contacted them).   As it turns out,…

Vulnerable WordPress Plugins Report for the Week of September 21, 2018

Vulnerable Plugins Ten disclosures since last week, with four issues unfixed, the most serious being an Authenticated Arbitrary File Upload vulnerability in Advanced Contact form 7 DB. View this week's vulnerable plugins list. Other Security News Specifics of the Remote Code Execution vulnerability in Moodle were disclosed earlier this week. The disclosure includes Proof-of-Concept code so…

Vulnerable WordPress Plugins Report for the Weeks of September 1 through September 14, 2018

Vulnerable Plugins Apologies for not sending out a report last week. There were seven disclosures over the last two weeks, with two issues unfixed. View this week's vulnerable plugins list. WordPress News The roadmap for version 4.9.9 was released earlier this week. The schedule currently proposes 4.9.9 being released during the first week of November. …

Vulnerable WordPress Plugins Report for the Week of August 31, 2018

Vulnerable Plugins Nine disclosures since last week, with four issues unfixed. Additionally, Ninja Forms has released version 3.3.14 which addresses the CSV Injection vulnerability disclosed last week. View this week's vulnerable plugins list. Other Security News Joomla! released version 3.8.12 which addressed three security issues: potential file upload vulnerability, store cross-site scripting vulnerability, and an ACL Violation in custom…

Vulnerable WordPress Plugins Report for the Week of August 24, 2018

Vulnerable Plugins Five disclosures since last week, with four issues unfixed, the most serious being an unfixed CSV Injection vulnerability in Ninja Forms. View this week's vulnerable plugins list. Other Security News phpMyAdmin released a patch earlier this week that addresses an authenticated, stored cross-site scripting issue.  Similarly, the Apache Foundation released a critical patch earlier…

Vulnerable WordPress Plugins Report for the Weeks of July 27 through August 10, 2018

Vulnerable Plugins Somehow (thankfully) there has been only one public disclosure over the last two weeks: an Unauthenticated Arbitrary File Upload vulnerability in the Ultimate Member plugin that has been patched with version 2.0.23. View this week's vulnerable plugins list. An Unauthenticated Arbitrary File Upload is a critical vulnerability, so you should update this plugin…

Vulnerable WordPress Plugins Report for the Weeks of July 9 through July 20, 2018

Vulnerable Plugins Eight disclosures over the last two week, with five issues unfixed, one critical. An authenticated arbitrary file upload vulnerability has been identified in the MapSVGLite plugin that remains unfixed. You should remove the plugin as soon as possible until the issue has been resolved. View this week's vulnerable plugins list. Other WordPress News The…

Meet DDEV, WPCampus 2018 Sponsor

This post is part of a series featuring sponsors from our WPCampus 2018 conference. Events like WPCampus would not be possible without the support of these amazing organizations. Be sure to check out their services and say hi to them in St. Louis. With DDEV, we’re making it easier everyday to get your web development…

PSA: Arbitrary File Deletion vulnerability in all current versions of WordPress

Update 20180705: version 4.9.7 has been released and addresses the issue below.  RipsTech (static analysis for PHP) yesterday disclosed an arbitrary file deletion vulnerability in all versions of WordPress.  The vulnerability requires a role of Author or greater in order to exploit.  The exploit allows an authenticated user to delete any file on the server that…

Meet BoldGrid, WPCampus 2018 Sponsor

This post is part of a series featuring sponsors from our WPCampus 2018 conference. Events like WPCampus would not be possible without the support of these amazing organizations. Be sure to check out their services and say hi to them in St. Louis. BoldGrid is pleased to announce the sponsorship of the 2018 WPCampus conference.…

Vulnerable WordPress Plugins Report for the Week of June 22, 2018

Vulnerable Plugins Six disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Other Security News Including this one only because I never imagined someone being held at gunpoint to steal a domain name Sherman Hopkins, Jr., 43, from Cedar Rapids, Iowa, broke into the victim's house, held the victim at…

Meet Pantheon, WPCampus 2018 Sponsor

This post is part of a series featuring sponsors from our WPCampus 2018 conference. Events like WPCampus would not be possible without the support of these amazing organizations. Be sure to check out their services and say hi to them in St. Louis. The WPCampus community is proud to announce Pantheon as a President Sponsor…

Meet CampusPress, WPCampus 2018 Sponsor

This post is part of a series featuring sponsors from our WPCampus 2018 conference. Events like WPCampus would not be possible without the support of these amazing organizations. Be sure to check out their services and say hi to them in St. Louis. CampusPress is thrilled to help support WPCampus for the 3rd year in…

Vulnerable WordPress Plugins Report for the Week of June 15, 2018

Vulnerable Plugins Ten disclosures since last week, with two issues unfixed. View this week's vulnerable plugins list. Other Security Came across a fun little security testing playground.  Allows you to spin up multiple vulnerable applications to practice security concepts and exploits and provide first-hand experience.  Each one has an explanation of the vulnerabilities in the…

Meet 10up, WPCampus 2018 Sponsor

This post is part of a series featuring sponsors from our WPCampus 2018 conference. Events like WPCampus would not be possible without the support of these amazing organizations. Be sure to check out their services and say hi to them in St. Louis. 10up is honored to support WPCampus this year through sponsorship, speaking, and…

Vulnerable WordPress Plugins Report for the Week of June 7, 2018

Vulnerable Plugins Seventeen disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Other WordPress Security Defiant released a whitepaper earlier this week covering a new WordPress malware they've been tracking and have dubbed "BabaYaga". Ryan Dewhurst (@ethicalhack3r and contributor to WPScan) released a report covering how many sites of the…

Meet SiteLock, WPCampus 2018 Sponsor

This post is part of a series featuring sponsors from our WPCampus 2018 conference. Events like WPCampus would not be possible without the support of these amazing organizations. Be sure to check out their services and say hi to them in St. Louis. The internet was born on university campuses. It started with an "Interface…

Vulnerable WordPress Plugins Report for the Week of June 1, 2018

Vulnerable Plugins Ten disclosures since last week, with five issues unfixed. View this week's vulnerable plugins list. Other Security News As I mentioned last week, a new malware, dubbed VPNFilter, was discovered to be targeting home/SOHO network devices.  The FBI has released an advisory recommending all owners of routers (which is just about everyone with…

Vulnerable WordPress Plugins Report for the Week of May 25, 2018

Vulnerable Plugins Six disclosures since last week, with three issues still unfixed. View this week's vulnerable plugins list. WordPress Security New WordFence released an interesting report on Tuesday that showcased an attack whereby hackers used compromised WordPress.com sites to install backdoor plugins on self-hosted WordPress sites via jetpack's remote management capabilities.  If you use a…

Vulnerable WordPress Plugins Report for the Week of May 18, 2018

Vulnerable Plugins Eleven disclosures since last week, with one critical unfixed. KingComposer has an Arbitrary File Upload vulnerability in its current version. You should remove the plugin until the author has fixed the issue. View this week's vulnerable plugins list. Other WordPress News Version 4.9.6 of WordPress was released yesterday.  While many (myself included) assumed this was…

Vulnerable WordPress Plugins Report for the Week of May 11, 2018

Vulnerable Plugins Three disclosures since last week, with all three issues unfixed.  WP Google Drive has not been updated in six years and should be replaced, if you haven't already. View this week's vulnerable plugins list. Other WordPress News The release candidate for version 4.9.6 is now available.  The tentative official release date has been moved…

Vulnerable WordPress Plugins Report for the Week of May 4, 2018

Vulnerable Plugins Two disclosures since last week, with zero issues unfixed. View this week's vulnerable plugins list. Other WordPress News Version 4.9.6 is now in beta, with a tentative official release date of May 15th.  4.9.6 contains 10 bug fixes, and 34 features/enhancements, most of which revolve around privacy and personal data tools to assist…

Vulnerable WordPress Plugins Report for the Week of April 27, 2018

Vulnerable Plugins Twelve disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Other Security News Cross-Site Request Forgery vulnerability disclosed in phpMyAdmin 4.8.0 and earlier TPLink Router TLWR740N Remote Code Execution vulnerability disclosed Unvalidated Redirect in Shibboleth component of Blackboard Learn  

Vulnerable WordPress Plugins Report for the Week of April 13, 2018

Vulnerable Plugins Nine disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Apologies for not getting this report out on Friday. I had other issues pop up that required my attention and didn't leave me with enough time to complete the report on Friday.  Speaking of which, my responsibilities at…

Vulnerable WordPress Plugins Report for the Week of April 6, 2018

Vulnerable Plugins Three disclosures since last week, with one issue unfixed. View this week's vulnerable plugins list. Other WordPress News As previously mentioned, v4.9.5 was released on April 3rd.  While it was originally announced as a maintenance release, it does contain three security fixes.   If you haven't already, you should get the 4.9.5 update into…

Vulnerable WordPress Plugins Report for the Week of March 30, 2018

Vulnerable Plugins Seven disclosures since last week, with one issue unfixed. View this week's vulnerable plugins list. Other WordPress News As noted last week, WordPress version 4.9.5 is scheduled for release on April 3rd. Originally, it was to include administrative dashboard call-outs to try-out Gutenberg, but those have now been removed: the Try Gutenberg callout will ultimately not land…

Vulnerable WordPress Plugins Report for the Week of March 23, 2018

Vulnerable Plugins Three disclosures since last week, with two issues unfixed. View this week's vulnerable plugins list. Other WordPress News Version 4.9.5 of WordPress is now in beta and has been scheduled for release on April 3rd. While 4.9.5 will be a maintenance release, it will interestingly include administrative dashboard call-outs to try-out Gutenberg (h/t…

Vulnerable WordPress Plugins Report for the Week of March 16, 2018

Vulnerable Plugins Thirteen disclosures since last week, with four issues unfixed. View this week's vulnerable plugins list. As with previous weeks, there are a few fairly popular plugins in this week's list: Duplicator - WordPress Migration Plugin, WP Job Manager (both have updates available), Limit Login Attempts Reloaded, and Limit Login Attempts (no updates available).  Make sure…

GutenDay at NC State

In addition to this blog post, you can hear more about NC State's GutenDay on the WPCampus Podcast! We were vaguely aware of Gutenberg all through 2017. Our team in NC State's central IT unit was kind-of listening to the Gutenberg chatter, and we had tested it enough to know we didn't want to think…

Vulnerable WordPress Plugins Report for the Week of March 2, 2018

Vulnerable Plugins Seven disclosures since last week, with only one issue unfixed. View this week's vulnerable plugins list. Please note there are a couple of fairly popular plugins in this week's list: MainWP-Child, and WP Fastest Cache.  Make sure to get these updates into your change management cycle as soon as possible. Other Security News…

Vulnerable WordPress Plugins Report for the Weeks of February 9, 2018 and February 16, 2018

Vulnerable Plugins Eighteen disclosures over the last two weeks, with nine issues unfixed. View the last two weeks' vulnerable plugins list. Other Security News Way back in 2014, Google announced its plans to push for "HTTPS everywhere".  In 2015, they began downranking non-https links in favor of https links.   Last October, starting with the release…

Version 4.9.3, Version 4.9.4 and the Denial of Service Vulnerability

As I mentioned on Friday, WordPress version 4.9.3 was released as scheduled Monday mid-day. If you have auto-updates enabled, you might have been surprised to see another WordPress update (4.9.4) come through Tuesday morning around 10am (CST). It seems there was a severe bug in 4.9.3 that caused the auto update feature to break in some sites…

Vulnerable WordPress Plugins Report for the Week of February 2, 2018

Vulnerable Plugins Seven disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Other WordPress News WordPress core announced on Tuesday version 4.9.3 will be delayed until Monday, February 5th.  So now you know what you're doing on Monday. ;) Other Security News Also on Tuesday, Cisco disclosed a vulnerability in the…

Vulnerable WordPress Plugins Report for the Week of January 12, 2018

Vulnerable Plugins Six disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. WordPress Security News Version 4.9.2 was released on Tuesday. It is a security and maintenance release and addresses a Cross-Site Scripting vulnerability and 21 other bugs.  If you do not have auto-updates enabled, definitely get the update into…

Vulnerable WordPress Plugins Report for the Weeks of December 29, 2017 and January 5, 2018

Vulnerable Plugins Ten disclosures over the last two weeks, with four issues unfixed. View this week's vulnerable plugins list. I hope everyone had a wonderful and relaxing holiday break. Unfortunately, vulnerabilities and disclosures did not rest. Two critical situations were disclosed during that time: an Unauthenticated Arbitrary File Upload discovered in the LearnDash LMS plugin by…

Vulnerable WordPress Plugins Report for the Week of December 22, 2017

Vulnerable Plugins Twenty-six disclosures this week, with ten issues unfixed. View this week's vulnerable plugins list. The most concerning disclosure this week was the discovery by Wordfence that the plugin Captcha (300K installs) contained backdoor code.  In looking through the repository, it appears the code was introduced in v4.3.6 of the plugin.  Version 4.4.5 was released earlier…

Vulnerable WordPress Plugins Report for the Week of November 17, 2017

Vulnerable Plugins Twenty-two disclosures this week, with ten issues unfixed. View this week's vulnerable plugins list. The critical updates you should be aware of from this week's list are in Formidable Forms, discovered by Klikki Oy, and in WP Support Plus Responsive Ticket System, discovered by Robert Mathews. If you are using either of these plugins, please make…

Vulnerable WordPress Plugins Report for the Week of November 10, 2017

Vulnerable Plugins Six disclosures this week, with three issues unfixed. View this week's vulnerable plugins list. The most interesting disclosure this week, in my opinion, is that for the Animated Weather Widget plugin reported by WordFence.  While the plugin itself did not contain a vulnerability, the plugin generated an iframe that contained content from weatherfor.us…

Vulnerable WordPress Plugins Report for the Week of November 3, 2017

Vulnerable Plugins Nine disclosures this week, with one issue unfixed, one possibly unfixed (see the notes section in the spreadsheet). View this week's vulnerable plugins list. The largest disclosure this week was definitely the SQL Injection vulnerability patched in v4.8.3 of core. The patch even got its own haiku (courtesy of pagely.com): WordPress Halloween. We…

Please Update to WordPress v4.8.3 Immediately

Version 4.8.3 was just released moments ago. It address a SQL Injection issue discovered by Anthony Ferrara‏  https://twitter.com/ircmaxell/status/923662170092638208 Confirmation from Anthony  https://twitter.com/ircmaxell/status/925366959612538882 WordPress post concerning the update: https://make.wordpress.org/core/2017/10/31/changed-behaviour-of-esc_sql-in-wordpress-4-8-3/ and https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/ If you have auto-update enabled you should receive the update automatically this morning.  If you do not have auto-update enabled, please update ASAP.

Vulnerable WordPress Plugins Report for the Week of October 27, 2017

Vulnerable Plugins Nine disclosures this week, with five issues unfixed. View this week's vulnerable plugins list. The largest disclosure this week was most likely the SQL Injection combined with Object Injection vulnerability in the Contact Form for WordPress - Ultimate Form Builder Lite plugin disclosed by Wordfence. At the time of discovery, the vulnerability was…

Vulnerable WordPress Plugins Report for the Week of October 6, 2017

Vulnerable Plugins Fourteen disclosures this week, with six issues unfixed, with three of those critical. View this week's vulnerable plugins list. The big news this last week, at least in terms of coverage, was the disclosure by Wordfence of three plugins vulnerable to Object Injection vulnerabilities.  Luckily, all three plugins have been fixed with updates…

Vulnerable WordPress Plugins Report for the Week of September 29, 2017

Vulnerable Plugins Eleven disclosures this week, with two issues unfixed, both critical. Both have been removed from the public repository. View this week's vulnerable plugins list. As a point of clarification, since there seems to be some confusion: I am not the discoverer of the vulnerabilities listed in the spreadsheet.  There is a column labeled…

Vulnerable WordPress Plugins Report for the Week of September 1, 2017

Vulnerable Plugins Ten disclosures this week, with three issues unfixed. View this week's vulnerable plugin list. The disclosure with the most visibility this week was in WooCommerce Product Vendors, where researchers from SiteLock discovered an unauthenticated, reflected Cross-Site Scripting vulnerability.  Automattic was quick to patch the vulnerability and promptly released version 2.0.40. Also disclosed this…

Vulnerable WordPress Plugins/Themes Report for the Week of August 25, 2017

Vulnerable Plugins/Themes Seven disclosures this week, with zero issues unfixed. YAY! View week's vulnerable plugin list.   This week, let's look at the Authenticated, Unauthorized Information Disclosure vulnerability in version 1.1.0 of Advanced Contact Form 7 DB plugin, as you may be asking how there can be a problem if someone is already authenticated.  Authentication…

Vulnerable WordPress Plugins/Themes Report for the Week of August 18, 2017

Vulnerable Plugins/Themes Eleven disclosures this week, with three issues unfixed. View week's vulnerable plugin list. Going to highlight a couple from this week. The first is the discovery by researcher Lenon Leite who discovered a SQL Injection vulnerability in the plugin Link Library.  Just like with last week's SQL Injection examples, this vulnerability requires an authenticated user…

Vulnerable WordPress Plugins Report for the week of August 4, 2017

Vulnerable Plugins Six disclosures this week, with three issues unfixed. View this week’s vulnerable plugin list. One of the disclosures is actually from last week that I intended to include but forgot.  I want to bring attention to it because it highlights how vulnerabilities can, and often are, stacked.  Wordfence recently wrote about how attackers…

Vulnerable WordPress Plugins Report for the Week of July 28, 2017

Vulnerable Plugins It was a busy week while I was away.  Twenty disclosures, with eleven issues unfixed.  In concerns to both Formcraft Form Builder, and Ultimate Affiliate Pro, since they are paid plugins, I do not have access to the source code in order to verify the disclosures.  In addition, I'm assuming the vulnerabilities still…

Vulnerable WordPress Plugins Report for the week of July 7, 2017

Vulnerable Plugins Only four plugins with disclosed vulnerabilities this week, none of which remain unpatched! That's the fewest number of disclosures in a week since I started doing this report.  You'll notice WP Statistics made a repeat appearance after being on last week's report for a SQL Injection vulnerability.  This week's appearance is due to an Authenticated…

Vulnerable WordPress Plugins Report for the Week of June 30, 2017

Vulnerable Plugins Eight plugins with disclosed vulnerabilities this week, five of which remain unpatched. The most serious is FormCraft which contains two unfixed SQL Injection vulnerabilities.  The packetstorm post mentions the vulnerability being in "FormCraft Basic" but that the plugin directory for google dorking is "formcraft". The version in the public repository definitely contains the vulnerability,…

Vulnerable WordPress Plugins Report for the Week of June 23, 2017

Vulnerable Plugins This week's list is probably one of the shortest since I started doing these reports: only 6 plugins, with 3 having unfixed vulnerabilities.  Unfortunately, one of them is a repeat offender: Photo Gallery by WD, which made an appearance in the May 5, 2017 report for a SQL Injection vulnerability.  This time around,…

Vulnerable WordPress Plugins Report for the Week of June 16, 2017

Introduction The weekly list is a collection of plugins and/or themes that have had vulnerabilities disclosed within the last week. I've historically created these weekly vulnerable plugin reports for the WordPress admins at the University of Missouri campus as a way to help them identify plugins and themes that need to be updated quickly. I began…

Login to WordPress