Breaking News: How to Protect Your Sites From Harmful Vulnerabilities

Presented by Kerry Carron on 03/04/2019 2:00pm

WordPress @ Work - WP Triage Team Announced

One of the goals for 2019 was to form a team who would work to manage the ever-increasing number of tickets in Trac, the bug tracker that WordPress Core employs. Nominations of volunteers to take part have been completed. The team has been formed. It will be led by Jonathan Desrosiers.

Team members:

  • Jonathan Desrosiers (@desrosj)
  • Chris Christoff (@chriscct7)
  • Tammie Lister (@karmatosed)
  • Sergey Biryukov (@sergey)
  • Sheri Bigelow (@designsimply)

WordPress Community News

Upcoming WordCamps

From: WordCamp Central

WordCamp Cebu –
CEBU, Philippines March 2, 2019

WordCamp Kolkata –

WordCamp Nordic –
HELSINKI, FINLAND – WordCamp NORDIC (REGIONAL WordCamp) March 7–8, 2019

WordCamp Kota Kinabalu –
KOTA KINABALU March 9, 2019 

WordCamp Greenville, SC, USA – GREENVILLE, SC, March 9, 2019

WordCamp Miami, USA – MIAMI, FL USA March 15–17, 2019

WordCamp Kathmandu –

WordCamp Osnabrück –
OSNABRÜCK, GERMANY March 23–24, 2019

WordCamp Bordeaux – BORDEAUX, FRANCE March 23, 2019

WordCamp Entebbe – ENTEBBE, UGANDA March 30–31, 2019

WordCamp Torino – TURIN, ITALY April 5–6, 2019

WordCamp Santa Clarita
April 5–6, 2019

WordCamp Raleigh, North Carolina, USA – RALEIGH, NORTH CAROLINA, USA April 6–7, 2019

WordCamp Madrid – MADRID April 6–7, 2019

WordCamp London – LONDON April 6–7, 2019

Known WordPress Vulnerabilities

Vulnerabilities without a Fix

There were no known vulnerabilities without a fix this week.

Vulnerability Fixes

WooCommerce version 3.5.4 (and before) - Stored Cross-Site Scripting (XSS):

Cross-Site Scripting vulnerabilities are susceptible to attacks that inject malicious scripts. Malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of HTML.

XSS attacks could use plugins and theme to send malicious code to a different end user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script.

Update to version 3.5.5

WordPress version(s) 3.7-5.0 (except 4.9.9) - Authenticated Code Execution:

An attacker with author privileges can execute arbitrary code by uploading the crafted image containing PHP code in the excess metadata.

If you are using WP 4.9 - 4.9.8, Update to version 4.9.9. All others Update to version 5.0.1

Fremius Library 2.2.3 (and before) - Authenticated Option Update

An authenticated option update vulnerability allows anyone with access to a WordPress account to take complete control of the website. This means anyone that allows user registrations is at risk.

This is a perfect example of the type of vulnerability that hackers will likely try to exploit – especially if there is significant usage of any particular plugin. The fact that this vulnerability requires a lot of coordination from the library's developers with the developers of the plugins that are included in the library of plugins, makes users of this library of plugins an even bigger target now that the hackers know of the vulnerability. Worse yet is that the plugins affected have the vulnerability regardless of whether or not they are included in the library.

Freemius showcases 96 plugins and nine themes that are included in the library. About 60% of the plugins (according to Freemius) have already been updated with a patch provided by the library developers, however, there are still a few developers that have not yet made, or been able to make, updates to their plugins included in the library and affected by the vulnerability.

A full list of the plugins impacted has not been released but here are some of the affected plugins and their fixes

mobile-menu – Update to version 2.7.3
Plugins that have not yet been updated with the patch fix:

OwnWP Community Focus

Ownwp Feature Focus – Live Events

At the beginning of the year, OwnWP doubled it’s efforts and began presenting 2 live webinars each week. From all the feedback we have received thus far, we are providing unique and valuable information however, the live webinar attendance has dropped.

As a result, we are asking and encouraging you to attend and invite others to attend our Network News presentations on Monday afternoons. We will be monitoring any change in attendance through the end of March, at which point we will determine if our efforts to continue this live presentation is worthwhile.

We will have more information about this in the upcoming weeks and will reveal our findings in an upcoming Network News episode.

Member Giveaway

The new Giveaway section is now available in your member’s area so be sure to log in and check out all the cool free stuff that is available to you.

Affiliate Product of the Week: ScreenFlow

From home movies to professional video, ScreenFlow has you covered. This product was developed for Mac users but many PC’ers choose to run Parallels just so they can use this fantastic video production software. It is really that great.

We’ve been using ScreenFlow since we started our business back in 2009. We had also used Camtasia and found that ScreenFlow was just simply more intuitive. It has changed dramatically over the years and it just keeps getting better and better.

Screenflow Discount

ScreenFlow is celebrating all video makers with a HUGE discount on ScreenFlow! Take 30% off all new license purchases. Hurry, hurry, this deal is only good in the month of March!

There is an awesome feature in ScreenFlow that was recently added- the Stock Media Library. For an additional $60 a year you gain access to over 500,000 images, audio, video clips and more for use in your ScreenFlow documents. We have to admit, it is pretty slick!

2 Ways Get ScreenFlow:

Use Our Link: Click this link (or the discount image) to get the details, and if you happen to buy, we get a thank you commission – a little to keep this site running for a while and maybe even enough to buy a fancy coffee.

Option 2: With this link, you can still explore the page and make a purchase, but this time we’ll get nothing. But hey, it’s OK. No worries, no guilt trip.

Either way, there’s no obligation to buy or take action – we’re just here to help you… Connect. Network. Thrive!

OwnWP Calendar of Events – Registrations are free.

Network News Registration

Mondays @ 2 pm Mountain time – Network News followed by our Community Connections

Weekly Webinar Registration

Thursdays @ Noon Mountain time – Weekly Webinar

If you or anyone you know is interested in presenting on OwnWP either as a single, stand-alone presentation or more regularly scheduled event, please contact us.

Presenter Bio: Kerry Carron

Kerry Carron is a loving wife and mother of three grown boys. As a freelancer, Kerry has built hundreds of WordPress websites and assisted other freelancers and small agencies with WordPress support and business development. She is the founder of OwnWP, a production of Ultimate Solution, LLC.

Kerry specializes in processes and creating systems. She is passionate about helping others find their path to success and her aspiration with OwnWP is to encourage other freelancers in finding and using the right combination of tools and skills they need to do more than merely survive!