20170519 Vulnerable Plugin Report, HackerOne and You’ve Update WordPress, yes?

This week’s report.

Vulnerable Plugins

Only one critical vulnerability this week.  I would suggest removing it until the author finishes his fixes (he’s almost finished). Otherwise, all of the rest of this week’s vulnerabilities have updates immediately available.

WordPress News

The big news this week was the release of 4.7.5 which addressed six security-related issues, and three maintenance items.  Considering this is a security-focused update, if you don’t have the auto-updates enabled, and you haven’t already upgraded, you need to do so as soon as possible.

Unfortunately, 4.7.5 didn’t address CVE-2017-8295 aka the unauthenticated password reset vulnerability.  While I’ve stated previously that this particular vulnerability has a narrow attack surface, it’s still a vulnerability that is actively being targeted and remains in all versions of WordPress.  I find it particularly odd that the core team still hasn’t addressed it considering it should be easy enough to correct: use get_site_url() instead of $_SERVER[‘SERVER_NAME’] in pluggable.php.

The WordPress security team also announced  they now have an official bug bounty program on HackerOne.  They’ve already awarded $3,700 in bounties. Not only does it cover the WordPress project but includes BuddyPress, bbPress, GlotPress, WP-CLI, and all of their associated sites, plus WordCamp.org. Might be a nice little way to contribute to WordPress and make some money on the side. 😀

Other News

If you work in Higher Education and are located in the south-western region of Missouri, don’t miss out on the HighEdWeb Regional conference this Monday, May 22 at 8am.  This will be a hand’s-on workshop where we cover the top web application security risks, and then use them to attack a vulnerable web application.  I promise you it’ll be fun! While it is free, space is limited though, so make sure if you think you might want to go, you need to sign-up ASAP to reserve your spot!