Eight disclosures since last week, with two issues unfixed, and two unknown.
View this week’s vulnerable plugins list.
Other WordPress Security News
There were several reports this week that the United Nation’s WordPress site was leaking “thousands or resumes” (The Register has since updated their story after I contacted them). As it turns out, the root issue was the web server was misconfigured and was allowing directory listings. This would have been an issue for the site regardless of which CMS they might have been using. I mention this because we often have a hard enough time in the HigherEd space fighting against the misconception that WordPress in inherently insecure. Articles that incorrectly blame WordPress for an issue make our jobs that much more difficult.
Other WordPress News
According to WPTavern, it appears that the 4.9.9 release, originally slated for a November 5th release date, is now in question. Instead of the original focus on Accessibility, Internationalization, Servehappy, and Gutenberg preparation, the new version 4.9.9 (if one is released at all) will instead be focused on PHP7.3 compatibility fixes. A new release date has not been announced.
Other Security News
A critical Privilege Escalation Vulnerability affecting RHEL, CentOS and Debian Jessie systems was disclosed earlier this week with details and proof-of-concept (PoC) code. Red Hat has released patches for RHEL/CentOS systems, but patches for Debian Jessie are still being developed. Administrators for RHEL/CentOS should apply the patches immediately; administrators of Debian Jessie systems should monitor for system calls to create_elf_tables() until a patch becomes available in order to detect potential exploitation of this vulnerability.
An update for MediaWiki was released late last week that addresses multiple security issues which potentially could have allowed a remote authenticated user to bypass security restrictions and potentially obtain sensitive information. Updates are available for all supported branches.
Earlier this week, Chegg announced it had reset the passwords on more than 40 million of its users due to a data breach earlier this year. The breach affected not only the Chegg’s website but also its citation service, EasyBib, as well. While many of us may not use Chegg directly, the real issue for us is that many people reuse passwords, and most of us probably have students who utilize Chegg’s service.
Along those same lines, Facebook announced today that some 50 million users may have been affected by a security vulnerability with the “View As” feature. The vulnerability allowed remote attackers to acquire Facebook access tokens which would allow them to take over other users’ accounts. Faccebook has reset access tokens for 50 million users that were affected, and reset tokens for another 40 million that used the feature in the last year.