20170505 Vulnerable Plugins/Themes Report and other WordPress Security News

This week’s report.

The other big news this week was the two disclosures concerning WordPress core: Unauthorized Password Reset and Unauthenticated Remote Code Execution vulnerabilities.  Ryan Dewurst (of the WPScan team) did an excellent write-up on these two vulnerabilities, and I encourage you to read it.  The TL;DR: keep your WordPress instance up-to-date and if you aren’t on the latest branch (4.7.X) you need to get moved over.

For the Password Reset vulnerability it’s important to note that the scenarios under which this attack can be exploited are limited.  In addition, if you are limiting access to the login area by IP address, which I strongly recommend, then this attack is mostly mitigated unless the attack is happening from inside your allowed network ranges.  I’ll admit though, I’m a little disappointed in the Core team that they didn’t fix this when it was first reported to them, considering it shouldn’t be that hard to fix. Hopefully we’ll see them address it v4.7.5.

Interestingly, both issues revolve around the same issue I corrected in the last update to my wpDirAuth plugin: using the _SERVER variables SERVER_NAME and HTTP_HOST.  As I have said previously, all data is tainted.  If you didn’t write it into your code yourself, you can’t trust it.