Presented by Kerry Carron on 03/25/2019 2:00pm
WordPress @ Work - Continual Changes, Regular Improvements
The WordPress Date/Time component – the code that manages date, time, and timezone functionality interestingly still includes code that dates back to PHP 4 times.
One of the maintainers from the Netherlands (whose name I cannot pronounce) even mentioned that it wasn't until last year that he was, at last, confident he had a good grasp on the extent of the problem and found a way forward for the WP core.
It was the requirement for backward compatibility that made progress slow but some of the work has finally been included in the most recent release of WordPress. The team expects to have more solutions available to pursue when the minimum required PHP version is implemented solater this year sometime.
If you are interested in more information, you can check out the video for a quick overview of the work being done.
There are now two new tools available for WordPress theme developers – Theme Sniffer Plugin and Automated Accessibility Testing
Theme Sniffer – This plugin is was contributed by the Theme Review team. It uses "sniffs" for PHP_CodeSniffer to test a theme against WordPress coding standards and check for PHP version compatibility. Assuming that this plugin will be the precursor to the upcoming and anticipated feature slated for the next version of WP.
The plugin can assist theme reviewers and developers in getting their themes approved for the WordPress.org directory.
The Accessibility Team also published a new tool called WP Theme Auditor that runs Axe (an open source library and testing engine created by the accessibility experts at Deque) that tests against a theme for automated accessibility feedback.
WordPress Community News
From: WordCamp Central
WordCamp Entebbe – ENTEBBE, UGANDA March 30–31, 2019
WordCamp Torino – TURIN, ITALY April 5–6, 2019
WordCamp Raleigh, North Carolina, USA – RALEIGH, NORTH CAROLINA, USA April 6–7, 2019
WordCamp Madrid – MADRID April 6–7, 2019
WordCamp London – LONDON April 6–7, 2019
WordCamp Rotterdam, Netherlands
ROTTERDAM April 12–13, 2019
OTA, TOKYO Japan April 20–21, 2019
PARIS April 24–26, 2019
WordCamp Vienna 2019 – VIENNA, AUSTRIA April 27, 2019
WordCamp Orange County, CA – IRVINE, CA USA April 27–28, 2019
WordCamp Lancaster, PA, USA – LANCASTER, PA, USA April 27, 2019
WordCamp Bilbao – BILBAO, BIZKAIA, SPAIN April 27–28, 2019
Known WordPress Vulnerabilities
Vulnerabilities without a Fix
GraceMedia Media Player Version 1.0 - Local File Inclusion (LFI)
A file inclusion vulnerability is most commonly found to affect plugins & themes – or applications, that rely on a scripting runtime.
The vulnerability is caused when the plugin or theme builds a path to executable code in a way that allows an attacker to control which file is executed at run time. In other words, it corrupts how the plugin or theme loads code for execution.
Exploitation of the vulnerability results in remote code execution on the web server that runs the affected plugin or theme.
Better Search 2.2.2 - Unauthenticated SQL Injection
An Unauthenticated SQL injection occurs when there are insufficient input validation and improper construction of SQL statements in WordPress plugins and themes (or other web applications).
A SQL injection attack involves the alteration of SQL statements that are used within a plugin or theme through the use of data that an attacker supplies. SQL injection is listed by Open Web Application Security Project (OWASP) as the number one threat to web applications due to its potentially destructive nature.
Here are some examples of SQL injection exploits:
- Authentication Bypass: An attacker may be able to log on to an application without supplying a valid username and password (admin included).
- Information Disclosure: An attacker may be able to obtain sensitive information in a database.
- Compromised Data Integrity: Database compromise. An attacker may use this attack to deface a web page or insert malicious content.
- Compromised Availability of Data: An attacker may be able to delete information with the intent to cause harm or delete log or audit information in a database.
- Remote Command Execution: An attacker may be able to compromise the website's host operating system.
Font_Organizer 2.1.1 - Cross-Site Scripting (XSS)
King Composer (Page Builder) Version 2.3.0 (and before) - Cross-Site Scripting (XSS)
Cross-site scripting, which is also known and abbreviated XSS, is a computer security vulnerability found in web applications – like plugins and themes within WordPress. An attacker may be able to bypass access controls and inject client-side scripts into web pages viewed by other users.
WP Support Plus Responsive Ticket System Version 9.1.1 (or before - Stored XSS Cross-Site Scripting (XSS) – Update to version 9.1.2
Easy WP SMTP Version 1.3.9 (or before) - Unauthenticated Arbitrary wp_options Import – Update to version 18.104.22.168
Social Warfare Version 3.5.2 - Unauthenticated Arbitrary Settings Update –Update to version 3.5.3
Give Version 2.3.0 (or before) - Cross-Site Scripting (XSS) – Update to version 2.3.1
NextScripts Version 4.2.7 (or before) - Cross-Site Scripting (XSS) – Update to version 4.2.8
WP Google Maps Version 7.10.41 - Cross-Site Scripting (XSS) – Update to version 7.10.43
WP Live Chat Support Version 8.0.17 (or before) - Cross-Site Scripting (XSS) – Update to version 8.0.18
YOP Poll Version 6.0.2 (or before) - Cross-Site Scripting (XSS) – Update to version 6.0.3
OwnWP Community Focus
OwnWP Feature Focus – Upcoming Live Event Results Webinar
Due to the continued low attendance level, all indications are leaning toward a change in the OwnWP live events schedule.
Low attendance makes it really difficult to attract new speakers and present on more (and new) topics. Not to mention the difficulty it presents in keeping the speakers motivated in wanting to present to our community, coming back, and perhaps most importantly keeping them motivated during the presentations themselves.
At the same time we know we have awesome content to share so we are exploring other ways to get all of the information we have to you. Remember it is our community that decides what happens and how things will function. Your ideas, comments, and suggestions are always welcome.
Affiliate Product of the Week:
ScreenFlow is not often on sale so if you ever find it on sale, know that it won’t be for long!
OwnWP did a full-length webinar showing you all the cool new features included with the purchase of ScreenFlow (plus the Stock Media Library Addon) just last week so be sure to check out: ScreenFlow: Simplifying Your Video Production Process
We’ve been using ScreenFlow for a very long time. It might even be the first piece of software that we ever purchased. ScreenFlow has been a worthy investment – a fantastic piece of software that just keeps getting better and better.
You Can Get ScreenFlow 2 Ways:
Use Our Link: Click this link (or the discount image) to get the details, and if you happen to buy, we get a thank you commission – a little to keep this site running for a while and maybe even enough to buy a fancy coffee.
Option 2: With this link, you can still explore the page and make a purchase, but this time we’ll get nothing. But hey, it’s OK. No worries, no guilt trip.
Either way, there’s no obligation to buy or take action – we’re just here to help you… Connect. Network. Thrive!
OwnWP Calendar of Events – Free Registration
Mondays @ 2 pm Mountain time – Network News followed by our Community Connections
Thursdays @ Noon Mountain time – Weekly Webinar
If you or anyone you know is interested in presenting on OwnWP either as a single, stand-alone presentation or more regularly scheduled event, please contact us.
Presenter Bio: Kerry Carron
Kerry Carron is a loving wife and mother of three grown boys. As a freelancer, Kerry has built hundreds of WordPress websites and assisted other freelancers and small agencies with WordPress support and business development. She is the founder of OwnWP, a production of Ultimate Solution, LLC.
Kerry specializes in processes and creating systems. She is passionate about helping others find their path to success and her aspiration with OwnWP is to encourage other freelancers in finding and using the right combination of tools and skills they need to do more than merely survive!