By Patchstack Weekly
This series is brought to you by Patchstack and your host Robert. I look forward to helping keep you regularly up to date on open source security issues here at the Patchstack weekly Update.
Patchstack WeeklyApr 24, 2023
Patchstack Weekly - Ending On a High Note
This is the final episode of the Patchstack Weekly podcast. All things come to an end - so it's only fitting to dedicate the last episode to software end-of-life, and how developers and website owners should handle sunsetting their projects.
We also want to thank our host, Robert, for sharing lessons on WordPress security (and beyond) over these past 68 episodes!
Patchstack Weekly - Securing Open-Source Forks
Forking is a fundamental part of open-source software - it offers anyone the opportunity to lead an existing project in a new direction. But forking also means that the owners of the new fork are taking over the responsibility for the security of their new project.
Patchstack Weekly - Preventing Insecure Inclusion Bugs
This week's knowledge share is about a rare but serious security bug that can be found in any PHP application. Luckily it is easy to avoid, and WordPress has a built-in function that developers can utilize to help secure against it. In vulnerability news we'll cover three vulnerabilities, including one PHP Object Injection bug in the popular Advanced Custom Fields plugin.
Patchstack Weekly - The One Serious Vulnerability That Open-Source Will Never Have
Closed-source software has one vulnerability open-source software will never face - source code leaks. This episode is all about embracing people who review open-source software, and consequently make it safer.
We'll also cover the recent Elementor Pro vulnerability that is, unfortunately, being actively exploited by attackers.
Patchstack Weekly - Understanding WordPress Security Bug Severity
When you see a security fix available for your website, you should of course update the affected component. But should you drop everything and apply the update immediately? Or can you at least finish your coffee first? Or is it OK to deal with it when you get a break? That depends on the bug.
Also in this episode, we'll cover the recent critical WooCommerce security bug which was, luckily, fixed with a rare forced update by the WordPress team.
Patchstack Weekly - Un-updatable Plugins - What Do They Mean?
Abandoned plugins with security bugs in them are a silent risk for WordPress site owners - but there's an easy way to spot plugins that have been out of date for a while straight from your WordPress admin page. This episode is a quick tutorial on that!
Patchstack Weekly - State of WordPress Security 2022 Report
We've just released our annual State of WordPress Security report, chock full of security stats and trends from the WordPress ecosystem.
Last year we saw 328% more reported security bugs added to our vulnerability database compared to 2021. This is actually a positive sign of the ecosystem becoming more secure, as more bugs are being caught (and patched). On the downside, the trend of critical vulnerabilities being left unpatched persists.
Today's episode is a sort of a tl;dr, as we dive into some of the bigger findings from the whitepaper and explain what they mean for the community.
Patchstack Weekly - Using WordPress As a Headless CMS
This week's knowledge share is an introduction to headless CMS's and WordPress. Robert will dive into what a headless CMS is, how WordPress can be used as one, and the security concerns that go along with it.
Patchstack Weekly - Should You Convert WordPress To a Static Website?
A static website is basically just some HTML files sitting on a server. It's very fast, cheap and secure - and it's rare to have all three.
This week's episode is all about the benefits of static sites, and when should you consider using them.
Patchstack Weekly - Do You Need Virtual Patching?
Regular software updates are essential for security - but they are not enough. Even if you make it a habit to regularly update your WordPress components or use auto-updates, sometimes developers won't release security updates. In fact in 2022, a quarter of critical vulnerabilities found in WordPress plugins did not receive a fix.
This is where "virtual patching" comes in - tune in to learn more about this handy extra security layer.
Patchstack Weekly - Do You Need a 'security.txt' File?
Security.txt is a new proposed standard to encourage website owners to adopt a more proactive approach to security.
The file is an easy way to quickly communicate your vulnerability disclosure program to security researchers. Big companies like Google, Slack, Github and Automattic are already using it - should you?
Patchstack Weekly - The Spurious Infinity of Security
The practice of security is boundless, with infinite context about what constitutes danger. Today's episode looks into how you can practice security to better your resume, services, business, and life.
This week's vulnerability roundup will share details on three security bugs that were patched last month in a popular Learning plugin for WordPress.
Patchstack Weekly - How Can Developers Prove Security?
This week's knowledge share is for developers and site owners alike. Robert will be discussing all about how open-source projects (or really any code project) can show, not just tell, their users that their project's code is secure and safe to use.
This week's vulnerability roundup will share details about three high-risk security bugs in WordPress components - of which two received patches and one went without.
Patchstack Weekly - What Makes a Secure Hosting Service?
The security of your web hosting provider is just as important as the security of your WordPress site. So in this episode Robert talks about how you can check for some important security features your hosting provider may or may not be offering.
This week's security news will cover two critical vulnerabilities - one that received a patch, and one that did not.
Patchstack Weekly - Are You Running Insecure Plugins?
Join Robert on his second episode of new year's security resolutions - this time, he'll be running you through the checklist for ensuring the plugins on your site are safe to use.
He'll also be talking about the recent Doctor Web report about a botnet targeting specific outdated WordPress plugins - which is a great reminder to always keep all your components up-to-date!
Patchstack Weekly - Rotate Your Passwords
In this episode we want to say two things: 1) Happy new year and 2) rotate your passwords!
Rotating your passwords regularly is a key security practice. We feel it's important to stress this in light of the latest news from the LastPass security breach - we now know that attackers did gain access to encrypted customer data, including password vaults.
Granted, this doesn't mean they got their hands on passwords and emails in plain text, but if you've used LastPass then it's high time to change all your passwords now.
Patchstack Weekly - Will AI Change Web Security?
Last week we confirmed that ChatGPT can write basic WordPress plugins - but should you let it? Does AI write safe code? Can it detect vulnerabilities?
Tune in to this year's last episode of Patchstack Weekly to find out what the recent advances in AI mean for the future of web development.
Patchstack Weekly - How One Vulnerability Affects Many
This week's knowledge share is about a recent influx of patched security bugs affecting a single vendor. Don't panic though - the bugs are low-risk.
The noteworthy part is the number of products affected by the same bug. Stay tuned for this weekly knowledge share where Robert explains why one vendor has multiple products affected by the same bug, and what this has to do with the software supply chain.
Patchstack Weekly - When Hacks Come Back
Recently LastPass reported a secondary security incident that occurred months after an initial break-in. We applaud their honesty and transparency in handling the matter - this is a great example of how to handle any security incident!
LastPass team's investigation concluded that this recent issue - of unexpected access to a third party service - was likely made by someone with information leaked from an incident that happened months ago in August.
So in this week's knowledge share, Robert will discuss the topic of lingering threats from old hacks.
Patchstack Weekly - Hunting Open-Source Security Bugs With SAST
Knowing where to look is the key to finding what you're looking for. For security bugs, it is essential.
In this week's knowledge share, Robert will teach you the basic process of finding security bugs using static code analysis - also known as SAST.
Patchstack Weekly - Dealing With Software End of Life
This week's knowledge share is about the security concern caused when software has been abandoned or has reached its end of life (EOL).
To that point, Robert will also talk about the surprising number of plugins that were recently removed from Wordpress.org for being abandoned.
Patchstack Weekly - What Is Type Juggling in PHP?
This week's knowledge share is about the PHP world's smallest security bug. We say smallest because it is one character long.
You may wonder how much trouble could one character possibly cause? Stick around for this week's knowledge share where Robert will be talking about type juggling in PHP.
Patchstack Weekly - What Is Cross-Site Scripting?
Cross-site scripting is something we talk about a lot - but what is it exactly?
Cross-site scripting - or XSS - is a prevalent threat. In fact, we add about 50 (!) new XSS vulnerabilities to our database every month. So hop on in to learn about this all-too-common vulnerability with Robert and see what you can do to protect your website against it.
Patchstack Weekly - Why Open Redirects Are Dangerous
Hey all - today we're going phishing!
If that made you start packing for the trip with excitement, then you probably misread the word. "Phishing", is when a seemingly familiar or trustworthy website is actually a fake, set up to capture your data or sensitive information.
In this episode, Robert explains how an open redirect bug can be used to carry out such attacks - and how you can prevent them.
Patchstack Weekly - Who You Gonna Call When Your Website Goes Down?
Asking a complete stranger to help you with a website emergency can make things from bad to worse.
Every website owner should have a trusted emergency contact at hand when things get dicey. But how do you find those people? How do you know who to trust?
Patchstack Weekly - Using OWASP ZAP to Spot User Input
"Never trust user input" - this is security's golden rule. So it's a great thing OWASP ZAP has tools that can show you how much data in a web app is controlled by the browser - and therefore also by the user.
Robert explains how to use those tools to uncover the hidden risk.
Patchstack Weekly - How To Use the OWASP ZAP Interface
In this week's knowledge share Robert will continue to share with you some tips and tricks with OWASP ZAP. He'll go over ZAP's HUD - or heads-up display - so you can get an idea of what it can be used for.
In other news, popular online news site Fast Company suffered a major attack last week - let's dig into what we know about the attack, and what lessons we can learn from it.
Patchstack Weekly - What Can You Do With the OWASP ZAP Tool?
We should probably start with "what the hell is it?" Well, OWASP ZAP is an open-source web application security tool written by developers, for developers. It is meant for those who want to get their hands dirty testing their web applications.
Of course, it also works great for security researchers and anyone interested in learning about web application security. So buckle up, because we have a lot of ground to cover!
Patchstack Weekly - The WCUS 2022 Roundup
We skipped an episode last week as Robert took a drive down to WordCamp US in San Diego - but this week he's back to tell you all about it!
He'll also dig into a critical vulnerability found in the premium WPGateway plugin, which is unfortunately already being used for attacks. However, as always, we like to talk about these things without hyperbole. Stay safe, stay calm!
Patchstack Weekly - WordPress 6.0.2 Security Update Details
The WordPress 6.0.2 security release made a splash in the news last week with three vulnerabilities patched with it - but what were they? Should you be worried?
Let's get cozy with Robert as he runs us through the now patched vulnerabilities, and explains why none of them is an immediate risk. Or as he likes to say: "keep on patchin', but don't be worrying."
P.S. You can also catch Robert giving a security talk at WordCamp US in San Diego this weekend - if you're there, come and say hi!
Patchstack Weekly - What Is Your Time to Patch?
Whenever a new vulnerability is announced, the clock starts. The time it takes to patch can mean the difference between your site getting compromised or not.
Tracking this as a "time to patch" metric can help you quantify if you need more help with your security program - or are attending to serious issues faster than the attackers can target your sites.
Patchstack Weekly - What Does a Vulnerability CVSS Score Mean?
What does it mean when a plugin on your site has a vulnerability with a "Medium" CVSS score?
Today's episode will be all about severity scores associated with security bugs and how they are calculated using the CVSS - or Common Vulnerability Scoring System.
I will also share two plugins that patched security bugs you should know about in the weekly vulnerability roundup.
Patchstack Weekly - The Practice of Security Bug Patching
A mature security patching practice means patching even the low-risk bugs.
In this week's episode, I will talk about all the elements that turn security from a process into a practice.
I will also discuss one insecure plugin in this week's vulnerability news. Unfortunately, the plugin did not receive a security patch for a severe security bug, so you may wish to be on the lookout if it is installed on your websites or customer websites.
Patchstack Weekly - SVG XSS Vulnerability Found in Gutenberg
It is August, and the Patchstack Alliance is growing. New security researchers have joined the alliance in the last month, and we are receiving some great reports of serious security bugs in open source components affecting millions of websites.
This week there was a security bug that was not found by Patchstack Alliance. This new security bug is in the WordPress Gutenberg editor.
In this week's knowledge share I will share important details that will help you understand the low risk this now public vulnerability poses, and emphasize that the existence of a CVE is in itself not a sign of high risk - because severity matters too.
Patchstack Weekly - Why You Shouldn't Use Nulled Plugins and Themes
In this week's knowledge share, I will talk about nulled plugins and themes - how they are a hidden security risk, how they harm trust in open source, and what you can do to make things right.
I will then cover this week's vulnerability news, which highlights two security bugs in abandoned plugins and one authenticated remote code execution bug that was recently patched.
Patchstack Weekly - What is Server Side Request Forgery?
This week I will finally get to talk about SSRF! SSRF stands for Server Side Request Forgery. This is a category of application vulnerability that is sometimes overlooked but could allow attackers to bypass security measures and turn a web application into a sort of limited VPN to pivot to systems normally protected by the network topology.
Don't worry if this doesn't make sense right now, I'll explain it in a bit.
Patchstack Weekly - Are Millions of WordPress Sites Really Under Attack?
This week's weekly knowledge share is a response to the all too common headlines about "Millions of WordPress websites are under attack" we see every so often.
I will share why attempted attacks are just the background radiation of the internet and not something to get into a panic over.
Patchstack Weekly - Why You Should Remove Unused Plugins
Welcome back to the Patchstack Weekly Security Update!
This week I will talk about the importance of removing unused code and components from your websites.
Simply disabling a theme or plugin is not enough - reviewing and deleting these things has to become a habit.
I will also cover a few vulnerability highlights, including 10 abandoned components that have known unpatched vulnerabilities in them.
Patchstack Weekly - What is CSV Injection?
CSV injection occurs when websites generate CSV files and include untrusted user input within them. I'll explain why this is dangerous, and how you can protect your site against it.
This week's vulnerability news will be brief - I will highlight 3 plugins with WordPress Options Update vulnerabilities (2 of which require no authentication). Each of these plugin's authors have released a patch.
I will also highlight a plugin affected by a CSV Injection vulnerability that, unfortunately, has not yet been patched (but of course, Patchstack Pro and Business users are protected by a virtual patch).
Patchstack Weekly - Interview with Rotem Bar
Rotem Bar works at Cider Security as Head of Marketplace Integrations and has been working in the security field for 20 years.
Back in February he found an Unauthenticated DOM-based Reflected Cross-Site Scripting vulnerability in Elementor and reported it through the Patchstack Alliance.
If the bug's name sounds confusing, convoluted, and complicated, don't worry - Rotem explains what it means and where the threat is exactly.
Patchstack Weekly - How To Choose Secure Plugins?
Welcome back to the Patchstack Weekly Security Update! This update is for week 25 of 2022.
This week's knowledge share will include some tips for WordPress site owners on what to look out for when choosing plugins.
I will also share vulnerability news, with one critical issue to discuss which may have already been patched, as well as highlighting the concerning trend of security bugs not receiving patches.
Patchstack Weekly - How to Update wp_options Securely.
Welcome back to the Patchstack Weekly Security Update! This update is for week 24 of 2022.
This week I will cover two high risk unauthenticated vulnerabilities, one could allow attackers to reset an any user's password (including admin users) and the other could arbitrarily delete files from websites running insecure versions of the plugin.
Thankfully both have been patched, so now it's up to site owners to apply that patch as soon as they can.
In this week's knowledge share, i will talk about a WordPress specific security bug. This security bug only applies to WordPress websites, because it has to do with the risks involved if users are able to update, or change values in the wp_options table.
If you're curious what could go wrong if attackers can update the options table values, stick around for this week's knowledge share.
Patchstack Weekly - What Makes A Good WordPress Community?
Welcome back to the Patchstack Weekly security update! This update is for week 23 of 2022.
It is the beginning of June, and WordCamp Europe is underway as I write this. WordCamps are the in-person community events for the WordPress community, and WordCamp Europe 2022 is the largest to be run in the last 2 years. This is a sign of the return of, and importance of community events.
So, on that note, this week's weekly knowledge share will be about community (and I will have a special announcement at the end.)
I will start with this week's vulnerability news first though, which will be about two vulnerabilities in WordPress plugins of which neither have a security patch available at this time.
Patchstack Weekly - How To Create An Incident Response Plan?
Welcome back to the Patchstack Weekly security update! This update is for week 22 of 2022.
This week there is only one high-risk security bug patched to report on in the vulnerability news.
During this week's knowledge share I will talk about the incident response plan and the importance of having it ready for worst-case scenarios. Because having a plan will help you turn bad situations into learning experiences.
Patchstack Weekly - Vulnerability News & Over-Communicating Security
Welcome back to the Patchstack Weekly security update! This update is for week 21 of 2022.
In this week's knowledge share, I will talk more about communicating security. But, not too much, because this week I will talk about over-communicating security, also known as alert fatigue.
Of course, I will start with a few notable security bug fixes added to the Patchstack Database in this week's vulnerability news.
Patchstack Weekly - How To Communicate Security?
Welcome back to the Patchstack Weekly security update! This update is for week 20 of 2022.
This week I will talk about the importance of communication and how to communicate security when it comes to security issues. Starting from developers needing to communicate security bugs being patched and ending with how Patchstack partners are experiencing some great successes by integrating Patchstack's WordPress vulnerability intelligence API into their products. I'll tell you how and why later, in this week's knowledge share.
But first, the week's vulnerability news. Starting with announcing the winners of the Patchstack Alliance's WordPress bug hunt contest, and a heads up about two unauthenticated SQL injection security bugs one patched, one not.
Patchstack Weekly - Secure AJAX Endpoints & WordPress Vulnerabilities
Welcome back to the Patchstack Weekly security update! This update is for week 19 of 2022 and is about secure AJAX endpoints and WordPress vulnerabilities.
This week in vulnerability news, I will share two WordPress plugins with security bugs that have no patch available.
One could lead to tricking logged-in users to run arbitrary code on websites, and the other could lead to unauthenticated SQL injection.
And I have a bit of breaking news to add, it was just reported by Portswigger that it appears WordPress websites with incomplete installations are being targeted shortly after being set up.
In this week's knowledge share, I will talk about securing WordPress AJAX endpoints.
Why it is important to secure AJAX endpoints? How to spot which functions need more attention from secure code review, and how to do security testing with a tool I guarantee you probably already have installed.
I will share this tool's information in the weekly knowledge share.
PS! Just a small edit to the thank you and appreciation section - a special thank you goes out to Shea Bunge for actively working on a patch in the Code Snippets plugin (I incorrectly said Code Snippets Extended.)
Patchstack Weekly - PHP Object Injection aka Insecure Deserialize
Welcome back to the Patchstack Weekly Security Update! This update is for week 18 of 2022.
This week I will talk about an obscure vulnerability, something that is commonly overlooked and missed by developers, bug bounty hunters, and security researchers alike. PHP Object Injection, also known as Insecure Unserialize.
I will get started with this week's vulnerability news like always, we have a handful of vulnerabilities I would like to share with you. Including one report of, you guessed it PHP Object Injection.
Patchstack Weekly - Egoless Programming & Security Bugs
Welcome back to the Patchstack Weekly security update! This update is for week 17 of 2022.
This week I have a handful of vulnerabilities to share with you. Including 3 unauthenticated SQL injection security bugs that were patched, and 3 security bugs that could lead to files being uploaded to websites running these affected plugins.
In this week's weekly knowledge share, I'm going to be talking about Egoless programming. A concept, introduced over 50 years ago, and an extremely helpful topic to cover when it comes to handling security bug reports.
Patchstack Weekly - WordPress Vulnerabilities And Secure Code Review
Welcome back to the Patchstack Weekly security update! This update is for week 16 of 2022 and is about the power of transparency in open source, and how anyone can utilize this transparency to learn secure code review.
This week I will talk about the power of transparency in open source as it pertains to security, and how anyone, including you, can utilize this transparency to learn secure code review.
There are a lot of vulnerabilities to discuss this week as well. With some versions of Elementor being affected by an authenticated high-risk vulnerability, a development/design firm that patched many of their projects, and 9 unauthenticated SQL injection security bugs (5 with patches, and 4 without) so let's talk vulns.