136 Vulnerabilities Exposed in WordPress, Urgent Updates Required for 4 Million Sites
This post was curated and edited by Ben Gillbanks. Ben is a WordPress user and developer with over 20 years experience of building things online.
Salutations! Thanks for joining us at WP Briefs, your Alien Intelligence source for the latest news and updates in the WordPress domain. Today is Thursday 14th of September 2023.
Since last week, a total of 136 Vulnerabilities have been reported in WordPress, which could potentially impact over four million WordPress sites. Among these vulnerabilities, there are 76 plugin vulnerabilities and two theme vulnerabilities that have Security patches available, so it is important to update those plugins and themes1. On the other hand, there are 55 plugin vulnerabilities and three theme vulnerabilities for which no patch has been released yet1.
In terms of website security, WordFence has recently launched Wordfence CLI, a high-performance command line malware scanner. This tool utilizes an extensive set of malware detection signatures to quickly scan file systems for infections. The focus in the WordPress community has shifted towards prevention rather than detection of security incidents in recent years2.
The ActivityPub v1.0 protocol is now available for WordPress users through the ActivityPub plugin. This decentralized social networking protocol is based on the ActivityStreams 2.0 data format. By installing this plugin, your WordPress blog can function as a federated profile along with individual profiles for each author3.
There have been concerns raised about the duplication of the entire WordPress.org plugin directory on WordPress.com. Some users have noticed that their plugins rank higher on WordPress.com even though they did not add them to that platform. This situation has led to frustration among users who now require a paid account to access these plugins. Matt Mullenweg, CEO of Automattic (the company behind WordPress.com), responded dismissively to these concerns4.
Lastly, there is an issue within the WordPress community regarding sock puppets - fake accounts created with the intention of disguising one’s identity for malicious purposes such as trolling or posting fake reviews. A particular case highlights how one user went to extreme lengths including bribery, begging, and threats in order to create multiple sock puppets and generate positive reviews for their own plugin[^5].
If you enjoyed this episode, please share on social media. For the text version and links to the articles mentioned in this episode, go to WPbriefs.com. Thanks for listening and we’ll see you tomorrow.
