#142 – Miriam Schwab and Oliver Sild on Security Collaboration Between Elementor and Patchstack

Transcript [00:00:00] Nathan Wrigley: Welcome to the Jukebox podcast from WP Tavern. My name is Nathan Wrigley. Jukebox is a podcast, which is dedicated to all things WordPress. The people, the events, the plugins, the blocks, the themes, and in this case, the recent security collaboration between Elementor, and Patchstack. If you’d like to subscribe to the podcast, you can …

Jetpack 13.9.1 Patches a Critical Security Flaw

Jetpack 13.9.1, a critical security update, was released yesterday to fix a vulnerability in the Contact Form feature that had been present since 2016. This flaw allowed logged-in users of a site to access forms submitted by visitors. The vulnerability was discovered during an internal security audit, prompting the Jetpack team to collaborate with the WordPress.org Security Team to release …

WordPress.org Introduces New Security Measures for Plugin and Theme Authors

Starting October 1st, 2024, WordPress.org will roll out new security measures aimed at enhancing the safety of accounts with commit access to plugins and themes. This was announced by the Automattic-sponsored developer Dion Hulse. Mandatory Two-Factor Authentication Beginning next month, WordPress.org will make two-factor authentication (2FA) mandatory for all plugin and theme authors. Authors can configure 2FA by visiting their …

Remote Code Execution Vulnerability Patched in WPML WordPress Plugin

The popular WordPress Multilingual plugin, WPML, which is installed on over 1,000,000 websites, has patched a Remote Code Execution (RCE) vulnerability (CVE-2024-6386) that researchers have classified as “Critical,” with a CVSS score of 9.9. Users are strongly advised to update their websites to the patched version, WPML 4.6.13. Security researcher Mat Rollings (stealthcopter) discovered and reported the vulnerability through the …

Record Bounty Awarded as Critical Privilege Escalation Vulnerability Patched in LiteSpeed Cache Plugin

The LiteSpeed Cache Plugin, widely used to enhance the speed and performance of WordPress websites, recently patched a critical unauthenticated privilege escalation vulnerability (CVE-2024-28000). With over 5 million active installations, this plugin is a critical tool for many WordPress users. John Blackbourn, a member of the Patchstack Alliance community, reported the vulnerability and was awarded $14,400, marking the highest bounty …

Critical Vulnerability Patched in GiveWP Plugin

GiveWP, a popular donation plugin for WordPress, has patched an unauthenticated PHP Object Injection to Remote Code Execution vulnerability that could be exploited to execute arbitrary code remotely and delete files. This plugin from the Liquid Web family of products has 100k+ active installs.  villu164 (Villu Orav) reported the vulnerability through the Wordfence Bug Bounty Program and netted a bounty …

Wordfence Launches WordPress Superhero Challenge with Big Rewards

Wordfence has introduced an exciting new initiative, the WordPress Superhero Challenge, as part of its ongoing Bug Bounty Program. Running until October 14th, this challenge exclusively targets plugins and themes with over 5 million active installations, a category that demands a high level of expertise due to the extensive testing these products undergo before reaching production. Chloe Chamberland, the Threat …

Wordfence CLI 2.0.1 Update Adds Free Vulnerability Scanning

Wordfence CLI 2.0.1 introduced free vulnerability scanning this week. The new CLI product was launched at WordCamp US two months ago with malware detection capabilities, but the latest update brings in the most highly requested feature – vulnerability scanning at scale. Wordfence is most well-known for its Web Application Firewall, malware scanner, and login security product, which is packaged as …