Patchstack WordPress Security Secures $5M, Adds Yoast Co-Founder to Board via @sejournal, @martinibuster

WordPress security company Patchstack announced a round of $5 million USD funding and the addition of Joost de Valk, co-founder of Yoast SEO, to their board. The funding will accelerate the development of Patchstack toward becoming the fastest full-cycle security solution.

Patchstack – Trusted Security Partner

Patchstack, based in Estonia, is a fast growing WordPress security company that is trusted by major web hosts, plugins and websites around the world. It recently released a free security tool for open-source software vendors that helps them comply with the upcoming European Cyber Resilience Act compliance.

Patchstack is a highly regarded WordPress security company that is trusted by customers such as GoDaddy, Digital Ocean, Plesk, and cPanel and is a security partner with over 300 WordPress plugins such as Elementor, WP Rocket, WP Bakery Page Builder and Slider Revolution.

Patchstack provides security scans for over five million websites every day and offers a free plugin for vulnerability detection and a low cost real-time protection (starting at $5 per website/month).

The announcement by Patchstack offers details of the $5 million dollar funding:

“Estonian cybersecurity startup Patchstack who in 2022 received €2.7M R&D grant from European Innovation Council announced an additional 5 million USD funding round to further their mission of covering the entire lifecycle of open-source security to provide the fastest mitigation to the emerging security threats.

Patchstack’s Series A round was led by Karma Ventures, an early-stage venture capital fund focusing on deep-tech software companies, with participation from G+D Ventures, the German TrustTech investor, and Emilia Capital, the investment firm of Yoast founders Marieke van de Rakt and Joost de Valk.”

Joost de Valk commented to Search Engine Journal:

“Patchstack is really an amazing company and product. I recently joined their board.”

He’s right, Patchstack currently prevents millions of vulnerability attacks and should be on the shortlist of security solutions for every WordPress website. Although WordPress security is not considered an SEO-related concern it actually should be an important factor of every SEO audit because all it takes is one major vulnerability event to lose the trust of customers and site visitors which can impact earnings and rankings.

Featured Image by Shutterstock/Krakenimages.com

New WordPress 6.6.2 Fixes Important Display Issue via @sejournal, @martinibuster

WordPress 6.6.2 introduces 26 bug fixes, including an important one that resolves a CSS issue affecting site appearance. Fifteen fixes address the WordPress core, while eleven focus on the Gutenberg block editor.

Maintenance Release – CSS Specificity

WordPress maintenance releases aren’t generally major updates to WordPress and are intended to fix issues that were introduced through new features from the last major update, in this case version 6.6.

This maintenance release is no different and contains a fix for a feature called CSS specificity that was introduced in WordPress 6.6.

CSS is the code that controls what a web page looks like in terms of colors, sizes, margins and spaces. Specificity means what style belongs to a web page element (like a section of page or something else more granular). CSS Specificity is a reference to a set of rules belonging to the WordPress core that determine which CSS property applies when there is ambiguity as to which property should apply. The purpose of CSS Specificity was initially developed as a way to make it simple for theme developers to overrule WordPress core styles with their own styles.

However it was discovered that the implementation of CSS Specificity introduced several issues that significantly affected what the web page looked like.

WordPress 6.6.2 fixes this issue and for that reason publishers who’ve had issues should consider updating.

Other Fixes

This maintenance release contains 15 fixes to the WordPress core and 11 fixes to the Gutenberg block editor.

Examples of fixes in the Core included in the maintenance release:

Sample Of Fixes In Gutenberg:

Reception Of 6.6.2

Publishers who haven’t experienced this update should feel confident about upgrading to this version. Initial reports in the private Dynamic WordPress Facebook Group is positive, with the admin of the group, David McCan, reporting he’d rolled it out to ten sites without experiencing any issues (link to discussion, must join the Facebook group to read).

Read The Official WordPress announcement

WordPress 6.6.2 Maintenance Release

Featured Image by Shutterstock/Cast Of Thousands

New LiteSpeed Cache Vulnerability Puts 6 Million Sites at Risk via @sejournal, @martinibuster

Another vulnerability was discovered in the LiteSpeed Cache WordPress plugin—an Unauthenticated Privilege Escalation that could lead to a total site takeover. Unfortunately, updating to the latest version of the plugin may not be enough to resolve the issue.

LiteSpeed Cache Plugin

The LiteSpeed Cache Plugin is a website performance optimization plugin that has over 6 million installations. A cache plugin stores a static copy of the data used to create a web page so that the server doesn’t have to repeatedly fetch the exact same page elements from the database every time a browser requests a web page.

Storing the page in a “cache” reduced the server load and speeds up the time it takes to deliver a web page to a browser or a crawler.

LiteSpeed Cache also does other page speed optimizations like compressing CSS and JavaScript files (minifying), puts the most important CSS for rendering a page in the HTML code itself (inlined CSS) and other optimizations that together make a site faster.

Unauthenticated Privilege Escalation

An unauthenticated privilege escalation is a type of vulnerability that allows a hacker to attain site access privileges without having to sign in as a user. This makes it easier to hack a site in comparison to an authenticated vulnerability that requires a hacker to first attain a certain privilege level before being able to execute the attack.

Unauthenticated privilege escalation typically occurs because of a flaw in a plugin (or theme) and in this case it’s a data leak.

Patchstack, the security company that discovered the vulnerability writes that vulnerability can only be exploited under two conditions:

“Active debug log feature on the LiteSpeed Cache plugin.

Has activated the debug log feature once before (not currently active now) and the /wp-content/debug.log file is not purged or removed.”

Discovered By Patchstack

The vulnerability was discovered by researchers at Patchstack WordPress security company, which offers a free vulnerability warning service and advanced protection for as little as $5/month.

Oliver Sild Founder of Patchstack explained to Search Engine Journal how this vulnerability was discovered and warned that updating the plugin is not enough, that a user still needs to manually purge their debug logs.

He shared these specifics about the vulnerability:

“It was found by our internal researcher after we processed the vulnerability from a few weeks ago.

Important thing to keep in mind with this new vulnerability is that even when it gets patched, the users still need to purge their debug logs manually. It’s also a good reminder not to keep debug mode enabled in production.”

Recommended Course of Action

Patchstack recommends that users of LiteSpeed Cache WordPress plugin update to at least version 6.5.0.1.

Read the advisory at Patchstack:

Critical Account Takeover Vulnerability Patched in LiteSpeed Cache Plugin

Featured Image by Shutterstock/Teguh Mujiono

WordPress Just Locked Down Security For All Plugins & Themes via @sejournal, @martinibuster

WordPress announced a major clampdown to protect its theme and plugin ecosystem from password insecurity. These improvements follow a flurry of attacks in June that compromised multiple plugins at the source.

Improves Plugin Developer Security

This WordPress security update fixes a flaw that allowed hackers to use compromised passwords from other breaches to unlock developer accounts that used the same credentials and had “commit access” enabling them to make changes to the plugin code right at the source. This closes a WordPress security gap that allowed hackers to compromise multiple plugins beginning in late June of this year.

Double Layer Of Developer Security

WordPress is introducing two layers of security, one on the individual developer account and a second one on the code commit access. This separates the author security credentials from the code committing environment.

1. Two-Factor Authorization

The first improvement to security is the imposition of a mandatory two-factor authorization for all plugin and theme authors that will be enforced beginning on October 1, 2024. WordPress is already prompting users to use 2FA. Users can also visit this page to configure their two-factor authorization.

2. SVN Passwords

WordPress also announced it will begin using SVN (Subversion) passwords, an additional layer of security for authenticating developers as a part of a version control system. SVN ensures that only authorized individuals can make changes to the code, adding a second layer of security to plugins and themes.

The WordPress announcement explains:

“We’ve introduced an SVN password feature to separate your commit access from your main WordPress.org account credentials. This password functions like an application or additional user account password. It protects your main password from exposure and allows you to easily revoke SVN access without having to change your WordPress.org credentials. Generate your SVN password in your WordPress.org profile.”

WordPress noted that technical limitations prevented them from using 2FA to existing code repositories, thereby requiring them to use SVN instead.

Takeaway: Vastly Improved WordPress Security

These changes will results in greater security for the entire WordPress ecosystem and immensely contribute to ensuring that all plugins and themes are trustworthy and not compromised at the source.

Read the announcement

Upcoming Security Changes for Plugin and Theme Authors on WordPress.org

Featured Image by Shutterstock/Cast Of Thousands

Vulnerabilities In Two WordPress Contact Form Plugins Affect +1.1 Million via @sejournal, @martinibuster

Advisories have been issued regarding vulnerabilities discovered in two of the most popular WordPress contact form plugins, potentially affecting over 1.1 million installations. Users are advised to update their plugins to the latest versions.

+1 Million WordPress Contact Forms Installations

The affected contact form plugins are Ninja Forms, (with over 800,000 installations) and Contact Form Plugin by Fluent Forms (+300,000 installations). The vulnerabilities are not related to each other and arise from separate security flaws.

Ninja Forms is affected by a failure to escape a URL which can lead to a reflected cross-site scripting attack (reflected XSS) and the Fluent Forms vulnerability is due to an insufficient capability check.

Ninja Forms Reflected Cross-Site Scripting

A a Reflected Cross-Site Scripting vulnerability, which the Ninja Forms plugin is at risk for, can allow an attacker to target an admin level user at a website in order to gain their associated website privileges. It requires taking an extra step to trick an admin into clicking a link. This vulnerability is still undergoing assessment and has not been assigned a CVSS threat level score.

Fluent Forms Missing Authorization

The Fluent Forms contact form plugin is missing a capability check which could lead to unauthorized ability to modify an API (an API is a bridge between two different software that allows them to communicate with each other).

This vulnerability requires an attacker to first attain subscriber level authorization, which can be achieved on a WordPress sites that has the subscriber registration feature turned on but is not possible for those that don’t. This vulnerability was assigned a medium threat level score of 4.2 (on a scale of 1 – 10).

Wordfence describes this vulnerability:

“The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized Malichimp API key update due to an insufficient capability check on the verifyRequest function in all versions up to, and including, 5.1.18.

This makes it possible for Form Managers with a Subscriber-level access and above to modify the Mailchimp API key used for integration. At the same time, missing Mailchimp API key validation allows the redirect of the integration requests to the attacker-controlled server.”

Recommended Action

Users of both contact forms are recommended to update to the latest versions of each contact form plugin. The Fluent Forms contact form is currently at version 5.2.0. The latest version of Ninja Forms plugin is 3.8.14.

Read the NVD Advisory for Ninja Forms Contact Form plugin: CVE-2024-7354

Read the NVD advisory for the Fluent Forms contact form: CVE-2024

Read the Wordfence advisory on Fluent Forms contact form:
Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.18 – Missing Authorization to Authenticated (Subscriber+) Mailchimp Integration Modification

Featured Image by Shutterstock/Cast Of Thousands

WordPress Insiders Discuss WordPress Stagnation via @sejournal, @martinibuster

A recent webinar featuring WordPress executives from Automattic and Elementor, along with developers and Joost de Valk, discussed the stagnation in WordPress growth, exploring the causes and potential solutions.

Stagnation Was The Webinar Topic

The webinar, “Is WordPress’ Market share Declining? And What Should Product Businesses Do About it?” was a frank discussion about what can be done to increase the market share of new users that are choosing a web publishing platform.

Yet something that came up is that there are some areas that WordPress is doing exceptionally well so it’s not all doom and gloom. As will be seen later on, the fact that the WordPress core isn’t progressing in terms of specific technological adoption isn’t necessarily a sign that WordPress is falling behind, it’s actually a feature.

Yet there is a stagnation as mentioned at the 17:07 minute mark:

“…Basically you’re saying it’s not necessarily declining, but it’s not increasing and the energy is lagging. “

The response to the above statement acknowledged that while there are areas of growth like in the education and government sectors, the rest was “up for grabs.”

Joost de Valk spoke directly and unambiguously acknowledged the stagnation at the 18:09 minute mark:

“I agree with Noel. I think it’s stagnant.”

That said, Joost also saw opportunities with ecommerce, with the performance of WooCommerce. WooCommerce, by the way, outperformed WordPress as a whole with a 6.80% year over year growth rate, so there’s a good reason that Joost was optimistic of the ecommerce sector.

A general sense that WordPress was entering a stall however was not in dispute, as shown in remarks at the 31:45 minute mark:

“… the WordPress product market share is not decreasing, but it is stagnating…”

Facing Reality Is Productive

Humans have two ways to deal with a problem:

1. Acknowledge the problem and seek solutions
2. Pretend it’s not there and proceed as if everything is okay

WordPress is a publishing platform that’s loved around the world and has literally created countless jobs, careers, powered online commerce as well as helped establish new industries in developing applications that extend WordPress.

Many people have a stake in WordPress’ continued survival so any talk about WordPress entering a stall and descent phase like an airplane that reached the maximum altitude is frightening and some people would prefer to shout it down to make it go away.

But facts cannot be brushed aside and that’s what this podcast tried to do. Everyone in the discussion has a stake in the continued growth of WordPress and their goal was not malign WordPress but discuss the current situation, identify what it is and try to reach an understanding of ways to solve the problem.

The live webinar featured:

• Miriam Schwab, Elementor’s Head of WP Relations
• Rich Tabor, Automattic Product Manager
• Joost de Valk, founder of Yoast SEO
• Co-hosts Matt Cromwell and Amber Hinds, both members of the WordPress developer community moderated the discussion.

WordPress Market Share Stagnation

The webinar acknowledged that WordPress market share, the percentage of websites online that use WordPress, was stagnating. Stagnation is a state at which something is neither moving forward nor backwards, it is simply stuck at an in between point. And that’s what was openly acknowledged and the main point of the discussion was understanding the reasons why and what could be done about it.

Statistics gathered by the HTTPArchive and published on Joost de Valk’s blog show that WordPress experienced a year over year growth of 1.85%, having spent the year growing and contracting its market share. For example, over the latest month over month period the market share dropped by -0.28%.

Crowing about the WordPress 1.85% growth rate as evidence that everything is fine is to ignore that a large percentage of new businesses and websites coming online are increasingly going to other platforms, with year over year growth rates of other platforms outpacing the rate of growth of WordPress.

Out of the top 10 Content Management Systems, only six experienced year over year (YoY) growth.

CMS YoY Growth

1. Webflow: 25.00%
2. Shopify: 15.61%
3. Wix: 10.71%
4. Squarespace: 9.04%
5. Duda: 8.89%
6. WordPress: 1.85%

Why Stagnation Is A Problem

An important point made in the webinar is that stagnation can have a negative trickle-down effect on the business ecosystem by reducing growth opportunities and customer acquisition. If fewer of the new businesses coming online are opting in for WordPress are clients that will never come looking for a theme, plugin, development or SEO service.

It was noted at the 4:18 minute mark by Joost de Valk:

“…when you’re investing and when you’re building a product in the WordPress space, the market share or whether WordPress is growing or not has a deep impact on how easy it is to well to get people to, to buy the software that you want to sell them.”

Perception Of Innovation

One of the potential reasons for the struggle to achieve significant growth is the perception of a lack of innovation, pointed out at the 16:51 minute mark that there’s still no integration with popular technologies like Next JS, an open-source web development platform that is optimized for fast rollout of scalable and search-friendly websites.

It was observed at the 16:51 minute mark:

“…and still today we have no integration with next JS or anything like that…”

Someone else agreed but also expressed at the 41:52 minute mark, that the lack of innovation in the WordPress core can also be seen as a deliberate effort to make WordPress extensible so that if users find a gap a developer can step in and make a plugin to make WordPress be whatever users and developers want it to be.

“It’s not trying to be everything for everyone because it’s extensible. So if WordPress has a… let’s say a weakness for a particular segment or could be doing better in some way. Then you can come along and develop a plug in for it and that is one of the beautiful things about WordPress.”

Is Improved Marketing A Solution

One of the things that was identified as an area of improvement is marketing. They didn’t say it would solve all problems. It was simply noted that competitors are actively advertising and promoting but WordPress is by comparison not really proactively there. I think to extend that idea, which wasn’t expressed in the webinar, is to consider that if WordPress isn’t out there putting out a positive marketing message then the only thing consumers might be exposed to is the daily news of another vulnerability.

Someone commented in the 16:21 minute mark:

“I’m missing the excitement of WordPress and I’m not feeling that in the market. …I think a lot of that is around the product marketing and how we repackage WordPress for certain verticals because this one-size-fits-all means that in every single vertical we’re being displaced by campaigns that have paid or, you know, have received a a certain amount of funding and can go after us, right?”

This idea of marketing being a shortcoming of WordPress was raised earlier in the webinar at the 18:27 minute mark where it was acknowledged that growth was in some respects driven by the WordPress ecosystem with associated products like Elementor driving the growth in adoption of WordPress by new businesses.

They said:

“…the only logical conclusion is that the fact that marketing of WordPress itself is has actually always been a pain point, is now starting to actually hurt us.”

Future Of WordPress

This webinar is important because it features the voices of people who are actively involved at every level of WordPress, from development, marketing, accessibility, WordPress security, to plugin development. These are insiders with a deep interest in the continued evolution of WordPress as a viable platform for getting online.

The fact that they’re talking about the stagnation of WordPress should be of concern to everybody and that they are talking about solutions shows that the WordPress community is not in denial but is directly confronting situations, which is how a thriving ecosystem should be responding.

Watch the webinar:

Is WordPress’ Market share Declining? And What Should Product Businesses Do About it?

Featured Image by Shutterstock/Krakenimages.com

Vulnerabilities in Two ThemeForest WordPress Themes, 500k+ Sold via @sejournal, @martinibuster

A vulnerability advisory was issued about two WordPress themes found on ThemeForest that could allow a hacker to delete arbitrary files and inject malicious scripts into a website.

Two WordPress Themes Sold On ThemeForest

The two WordPress themes with vulnerabilities are sold on ThemeForest and together they have over a half million sales.

The two themes are:

• Betheme theme for WordPress (306,362 sales)
• The Enfold – Responsive Multi-Purpose Theme for WordPress (260,607 sales)

Betheme Theme for WordPress Vulnerability

Wordfence issued an advisory that The Betheme theme contained a PHP Object Injection vulnerability that was rated as a high threat.

Wordfence was discreet in their description of the vulnerability and offered no details of the specific flaw. However, in the context of a WordPress theme, a PHP Object Injection vulnerability usually arises when a user input is not properly filtered (sanitized) for unwanted uploads and inputs.

This is how Wordfence described it:

“The Betheme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 27.5.6 via deserialization of untrusted input of the ‘mfn-page-items’ post meta value. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin.

If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.”

Has Betheme Theme Been Patched?

Betheme Theme for WordPress has received a patch on August 30, 2024. But Wordfence’s advisory isn’t acknowledging it. It’s possible that the advisory needs to be updated, not sure. Nevertheless, it’s recommended that users of the Enfold theme consider updating their theme to the newest version, which is Version 27.5.7.1.

The Enfold – Responsive Multi-Purpose Theme for WordPress

The Enfold Responsive Multi-Purpose WordPress theme contains a different flaw and was given a lower severity rating of 6.4. That said, the publisher of the theme has not issued a fix for the vulnerability.

A Stored Cross-Site Scripting (XSS) was discovered in the WordPress theme from a flaw originating in a failure to sanitize inputs.

Wordfence describes the vulnerability:

“The Enfold – Responsive Multi-Purpose Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wrapper_class’ and ‘class’ parameters in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

Enfold Vulnerability Has Not Been Patched

The Enfold – Responsive Multi-Purpose Theme for WordPress has not been patched as of this writing and remains vulnerable. The changelog documenting the updates to the theme shows that it was last updated in August 19, 2024.

Screenshot Of Enfold WordPress Theme’s Changelog

The Enfold – Responsive Multi-Purpose Theme for WordPress has not been patched as of this writing and remains vulnerable.

Wordfence’s advisory warned:

“No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.”

Read the advisories:

Betheme <= 27.5.6 – Authenticated (Contributor+) PHP Object Injection

Enfold <= 6.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via wrapper_class and class Parameters

WordPress Elementor Widgets Add-On Vulnerability via @sejournal, @martinibuster

A WordPress plugin add-on for the popular Elementor page builder recently patched a vulnerability affecting over 200,000 installations. The exploit, found in the Jeg Elementor Kit plugin, allows authenticated attackers to upload malicious scripts.

Stored Cross-Site Scripting (Stored XSS)

The patch fixed an issue that could lead to a Stored Cross-Site Scripting exploit that allows an attacker to upload malicious files to a website server where it can be activated when a user visits the web page. This is different from a Reflected XSS which requires an admin or other user to be tricked into clicking a link that initiates the exploit. Both kinds of XSS can lead to a full-site takeover.

Insufficient Sanitization And Output Escaping

Wordfence posted an advisory that noted the source of the vulnerability is in lapse in a security practice known as sanitization which is a standard requiring a plugin to filter what a user can input into the website. So if an image or text is what’s expected then all other kinds of input are required to be blocked.

Another issue that was patched involved a security practice called Output Escaping which is a process similar to filtering that applies to what the plugin itself outputs, preventing it from outputting, for example, a malicious script. What it specifically does is to convert characters that could be interpreted as code, preventing a user’s browser from interpreting the output as code and executing a malicious script.

The Wordfence advisory explains:

“The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.”

Medium Level Threat

The vulnerability received a Medium Level threat score of 6.4 on a scale of 1 – 10. Users are recommended to update to Jeg Elementor Kit version 2.6.8 (or higher if available).

Read the Wordfence advisory:

Jeg Elementor Kit <= 2.6.7 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File

Featured Image by Shutterstock/Cast Of Thousands