Fifteen disclosures over the last two weeks, with twelve issues unfixed.
View this week’s vulnerable plugins list.
The most severe issue from this report is a Confidential Information Leakage vulnerability with the Social Network Tab plugin that was found to be storing twitter account access tokens and secrets in the source code of the page where it was used. If you are using this plugin, assume your access tokens have been compromised and proceed with invalidating the tokens and changing the account password. You can read more about it here and here.
Other WordPress Security News
As reported by several outlets, researchers from Imperva have reported there was a 30% increase in WordPress-related vulnerabilities between 2017 and 2018, increasing from 418 t0 542, as compared to a 21% increase in web vulnerabilities overall. As has been in the past, the majority of the WordPress-related vulnerabilities (98%) were in plugins and themes.
In terms of security, plugins remain the Achilles’ heel of WordPress.
Other Security News
Joomla released version 3.9.2 that, among other things, addresses several stored cross-site scripting vulnerabilities.
Drupal also released a security patch (8.6.6, 8.5.9, and 7.62) earlier this week that address a remote code execution vulnerability, and an Object Injection (via unserialize) vulnerability.