Vulnerable Plugins/Themes
Eleven disclosures this week, with three issues unfixed.
View week's vulnerable plugin list.
Going to highlight a couple from this week. The first is the discovery by researcher Lenon Leite who discovered a SQL Injection vulnerability in the plugin Link Library. Just like with last week's SQL Injection examples, this vulnerability requires an authenticated user with permissions to access the plugin’s settings in order to execute the exploit. As before, in most situations this will be someone with an administrator account who, if were a bad actor, could cause more damage in other ways. But it once again highlights that we need to make sure people are given the minimum amount of privileges to perform their jobs, and as developers, ensure that we are parameterizing/binding all queries.
The second one I want to highlight was discovered by researcher Paul Dannewitz, who discovered a SQL Injection vulnerability in the plugin I Recommend This. I Recommend This has over 40K active installs, and only requires a user to have a subscriber-level role. What's particularly interesting about this exploit is that vulnerability is in the handling of data passed in via a shortcode. It's an excellent example how as a developer, you can't trust data from any source.
Other Security News
Drupal released an update yesterday that addressed one critical vulnerability and two moderately critical vulnerabilities in the 8.X branch, and an update to the Views module for sites on the 7.X branch.
Alert Logic released their 2017 Cloud Security Report earlier this week. During an 18 month period, they tracked over 2 million security incidents, from 3800 customers. While ransomware has certainly been making the headlines, it was web application attacks that made up almost 75% of those tracked incidents with SQL Injection attacks making up just over half, leading Alert Logic to state:
Web applications are the soft underbelly of your organization – the number-one means by which attackers breach data.
Many of the web applications attacks targeted third-party components (i.e. plugins and themes) which, as developers, is on us. If you are creating custom plugins or themes, please set aside some time to go through some secure coding tutorials. If you'll be attending HighEdWeb this year (and I highly recommend it) come take my security-focused pre-conference workshop. Check out the OWASP Secure Coding Practices quick reference guide, or look into some tutorials over at lynda.com. It's up to us to step up our game and help secure the web.
Speaking of ransomware, Wordfence put out an interesting post about a new ransomeware that's targeting WordPress specifically. From reading the article, it appears that after compromising the site (WordFence fails to say how the sites are initially compromised), the site is then encrypted and held ransom until the owner pays the ransom. The best way to protect yourself is the same as always: keep WordPress core, your plugins and your themes up-to-date, be skeptical of any third-party code you add to your site, and lock as many things down as possible.
Sucuri did a follow-up post to their post last week on backing up your site using command-line tools: How to Restore Website Backups from the Command Line. If you liked last week's post, definitely check out this one.
Last, Sucuri also did a post earlier this week on deconstructing a piece of malware. If you enjoy looking into how malware is constructed and obfuscated, their post is well worth the read.