Vulnerable Plugins
There were ten disclosures over the last two weeks, with three issues unfixed. The most serious is an arbitrary file upload vulnerability in the csv2wpec-coupon plugin, which is related to the recently disclosed vulnerability in the Blueimp JQuery File Upload Plugin package. However, there are less than 10 sites with the csv2wpec-coupon so it's unlikely any of you are using it.
View this week's vulnerable plugins list.
Other Security News
Larry Cashdollar, a security researcher with Akamai, disclosed an issue with the Blueimp JQuery File Upload Plugin earlier this week. The plugin includes code that allows for unauthenticated file uploads and did not include code in the upload process to verify user authorization to perform the upload. The package does include an .htaccess file to force the download of any uploaded file; however, this assumes the site is using Apache for the web server, and that Apache is set up to follow user-land htaccess files. Unfortunately, the codebase has over 7000 forks and has been bundled into numerous other packages. While a fix has been released, it will take some time, if ever, to get the updated code into all the different packages where it has been included. We'll most likely see this vulnerability crop up again as researchers and threat agents discover its use in other packages.
The 5.X branch of PHP will officially reach end-of-life for security updates as of December 31 of this year. Unfortunately, according to w3techs.com, version 5.X of PHP makes up 78.1% of all php websites, with 78.9% of all sites tracked using PHP. This means that by the end of the year, 60% of all sites online will be running an unsupported version of PHP. If your institution is still on 5.X begin engaging with your System Administrators to begin plans to upgrade as soon as possible. As an added bonus, PHP7.X is significantly faster than PHP5.X. Hopefully this final death knell of PHP5.X will push WordPress core to finally update the minimum PHP version to something more current.
Other News
HighEdWeb 2018 starts this weekend. I sincerely hope that I'll be seeing many of you there. I'll be doing a lightning talk on Information Security on Tuesday afternoon. Feel free to grab me during the conference as I'm always up for a chat on security!