Three disclosures since last week, with all issues fixed. However, right as I was writing this post, WordFence released a post detailing multiple vulnerabilities in the plugin Total Donations that can lead to a complete site take-over. The plugin appears to be abandoned so there is a high chance it will not be fixed. If you are using this plugin, you are encouraged to delete it immediately.
View this week’s vulnerable plugins list.
Other WordPress Security News
Beta 2 of WordPress 5.1 was released today, with the final version scheduled for release on February 21st. 5.1 brings a number of interesting features, but one in particular is causing some controversy. 5.1 will introduce a collection of PHP Site Health mechanisms to encourage and aid site owners in upgrading their installed version of PHP. One specific feature of the site health has been dubbed White-Screen-of-Death (WSOD) protection. The idea is that if a plugin or theme causes a fatal error, WordPress will catch the error, and suspend the offending code so that an administrator can still log into the backend to update or remove the offending code. While a good idea in theory, several have pointed out that this feature could be abused to disable non-offending plugins, thereby bypassing security functionality. From the make post it appears that this functionality will be enabled by default when 5.1 drops. A new configuration option (
WP_DISABLE_FATAL_ERROR_HANDLER ) is available to disable this feature. Given its possibility for abuse, I would encourage you to disable this feature except when updating/upgrading your site.
Other Security News
If you use PEAR’s package manager (go-pear.phar), and have downloaded it from the PEAR site any time over the last two months, it is possible your copy is tainted. Maintainers at the PEAR repository took down the official PEAR website an then announced the PEAR website had been compromised. A clean version is available on the PEAR github site. You are encouraged to checksum your version with the clean version, or replace your copy with the known-clean version and then scan your systems.
I’ll be joining Pantheon next Thursday (the 31st) at 12:00pm CST to discuss WordPress application security in a higher education setting. Registration is now open.
Unfortunately, my webinar with Pantheon just happens to be on the at the exact same day as WPCampus Online 2019, and at the exact same time as Rachel and Brian’s report on the WPCampus Gutenberg Accessibility Audit report. I strongly encourage everyone to take advantage of this free online conference as it features some incredible speakers covering a wide-range of topics (don’t miss Adam Arrowood‘s presentation What to expect when you’re expecting to be hacked: WordPress edition). And while I would love to have all of you attend my webinar, the Gutenberg Accessibility audit is extremely important to not only higher education, but to everyone who uses WordPress. Don’t miss it.