WordPress Cache Plugin Vulnerability Affects +5 Million Websites via @sejournal, @martinibuster

Up to 5 million installations of the LiteSpeed Cache WordPress plugin are vulnerable to an exploit that allows hackers to gain administrator rights and upload malicious files and plugins

The vulnerability was first reported to Patchstack, a WordPress security company, which notified the plugin developer and waited until the vulnerability was patched before making a public announcement.

Patchstack founder Oliver Sild discussed this with Search Engine Journal and provided background information about how the vulnerability was discovered and how serious it is.

Sild shared:

“It was reported to through the Patchstack WordPress Bug Bounty program which offers bounties to security researchers who report vulnerabilities. The report qualified for a $14,400 USD bounty. We work directly with both the researcher and the plugin developer to ensure vulnerabilities get patched properly before public disclosure.

We’ve monitored the WordPress ecosystem for possible exploitation attempts since the beginning of August and so far there are no signs of mass-exploitation. But we do expect this to become exploited soon though.”

Asked how serious this vulnerability is, Sild responded:

“It’s a critical vulnerability, made particularly dangerous because of its large install base. Hackers are definitely looking into it as we speak.”

What Caused The Vulnerability?

According to Patchstack, the compromise arose because of a plugin feature that creates a temporary user that crawls the site in order to then create a cache of the web pages. A cache is a copy of web page resources that stored and delivered to browsers when they request a web page. A cache speeds up web pages by reducing the amount of times a server has to fetch from a database to serve web pages.

The technical explanation by Patchstack:

“The vulnerability exploits a user simulation feature in the plugin which is protected by a weak security hash that uses known values.

…Unfortunately, this security hash generation suffers from several problems that make its possible values known.”

Recommendation

Users of the LiteSpeed WordPress plugin are encouraged to update their sites immediately because hackers may be hunting down WordPress sites to exploit. The vulnerability was fixed in version 6.4.1 on August 19th.

Users of the Patchstack WordPress security solution receive instant mitigation of vulnerabilities. Patchstack is available in a free version and the paid version costs as little as $5/month.

Read more about the vulnerability:

Critical Privilege Escalation in LiteSpeed Cache Plugin Affecting 5+ Million Sites

Featured Image by Shutterstock/Asier Romero

Free WordPress AI Writing Assistant By Jetpack via @sejournal, @martinibuster

Jetpack announced a free WordPress writing tool called Write Brief With AI that improves the clarity and conciseness of content. The AI writing assistant is based on an internal tool used at Automattic and is now available without limitations regardless of whether a user is subscribed to Jetpack AI Assistant or not.

Write Brief With AI Is Free

The new AI tool started as an internal writing tool used at Automattic, the company behind WordPress.com, Jetpack, WooCommerce, and other companies. They are now integrating as part of the Jetpack AI plugin. Although Jetpack AI is a premium plugin (with a limited free trial), the functionality and usage of Write Brief with AI is available to all users both free and paid.

What It Does

The new Jetpack AI writing tool does three important things that can improve engagement and the overall quality of the content.

1. It measures the readability of the text.
2. Flags long-winded sentences.
3. Highlights words that convey uncertainty.

Importance Of Readability

Readability and a direct writing style are important for clearly expressing the content’s topic, which can indirectly benefit SEO, conversions, and engagement. This is because clarity and conciseness make the topic more evident and easily understood by search algorithms.

Why Removing Uncertainty Is Important

Regarding flagging words that sound uncertain, that has the effect of encouraging the writer to consider revisions that make the content more definitive and confident.

Here are examples of how confident writing improves content:

Example 1

This sentence expresses uncertainty:

I think we should consider expanding our marketing efforts.

This improved version of the same sentence is more confident:

We should expand our marketing efforts.

Example 2

This sentence is unconfident:

Maybe we should review the budget before making a decision.

This sentence is direct and definitive:

We should review the budget before making a decision.

The above examples show how improving directness and making sentences more decisive removes a level of ambiguity and makes them more understandable.

Will that help a web page rank better? Communicating without ambiguity makes it easy for search-related algorithms to understand content which in turn makes it easier to rank for the respective topic.

Embedded Within The WordPress Editor

The editor is located within the WordPress editor. Blocks must be enabled because it won’t work within the Classic Editor. Additionally, the functionality is turned off by default and has to be activated by toggling on within the AI Assistant Settings sidebar.

Should You Try Write Brief With AI?

If your site is already using blocks then it may be convenient to give the new writing assistant a try. The tool is focused on improving content according to best practices but not actually doing the writing itself. That’s a good use of AI because it preserves the authenticity of human authored content.

Download Jetpack and activate the free trial of the AI Assistant. Write Brief With AI is switched off by default, so toggle it on in the AI Assistant settings.  While AI Assistant is limited in how many times it can be used, Write Brief With AI is in Beta and can be used without limitations.

Download Jetpack here:

Jetpack by Automattic

Learn More About Write Brief With AI

Read more at the official WordPress.com announcement:

Clearer Writing at Your Fingertips: Introducing Write Brief with AI (Beta)

Read the documentation on requirements, activation instructions and how to use it:

Create Better Content with Jetpack AI

Featured Image by Shutterstock/Velishchuk Yevhen

Why WordPress 6.6.1 Was Flagged For Trojan Malware via @sejournal, @martinibuster

Multiple user reports have surfaced warning that the latest version of WordPress is triggering trojan alerts and at least one person reported that a web host locked down a website because of the file. What really happened turned into a learning experience.

Antivirus Flags Trojan In Official WordPress 6.6.1 Download

The first report was filed in the official WordPress.org help forums where a user reported that the native antivirus in Windows 11 (Windows Defender) flagged the WordPress zip file they had downloaded from WordPress contained a trojan.

This is the text of the original post:

“Windows Defender shows that the latest wordpress-6.6.1zip has Trojan:Win32/Phish!MSR virus when i try downloading from the official wp site

it shows the same virus notification when updating from within the WordPress dashboard of my site

Is this a false positive?”

They also posted screenshots of the trojan warning that listed the status as “Quarantine failed” and that WordPress zip file of version 6.6.1 “is dangerous and executes commands from an attacker.”

Screenshot Of Windows Defender Warning

Someone else affirmed that they were also having the same issue, noting that a string of code within one of the CSS files (style code that governs the look of a website, including colors) was the culprit that was triggering the warning.

They posted:

“I am experiencing the same issue. It seems to occur with the file wp-includescssdistblock-librarystyle.min.css. It appears that a specific string in the CSS file is being detected as a Trojan virus. I would like to allow it, but I think I should wait for an official response before doing so. Is there anyone who can provide an official answer?”

Unexpected “Solution”

A false positive is generally a result that tests as positive when it’s not actually a positive for whatever is being tested for. WordPress users soon began to suspect that the Windows Defender trojan virus alert was a false positive.

An official WordPress GitHub ticket was filed where the cause was identified as an insecure URL (http versus https) that’s referenced from within the CSS style sheet. A URL is not commonly considered a part of a CSS file so that may be why Windows Defender flagged this specific CSS file as containing a trojan.

Here’s the part where things went off in an unexpected direction. Someone opened another WordPress GitHub ticket to document a proposed fix for the insecure URL, which should have been the end of the story but it ended up leading to a discovery about what was really going on.

The insecure URL that needed fixing was this one:

http://www.w3.org/2000/svg

So the person who opened the ticket updated the file with a version that contained a link to the HTTPS version which should have been the end of the story but for a nuance that was overlooked.

The (‘insecure’) URL is not a link to a source of files (and therefore not insecure) but rather an identifier that defines the scope of the Scalable Vector Graphics (SVG) language within XML.

So the problem ultimately ended up not being about something wrong with the code in WordPress 6.6.1 but rather an issue with Windows Defender that failed to properly identify an “XML namespace” instead of mistakenly flagging it as a URL linking to downloadable files.

Takeaway

The false positive trojan file alert by Windows Defender and subsequent discussion was a learning moment for many people (including myself!) about a relatively arcane bit of coding knowledge regarding the XML namespace for SVG files.

Read the original report:

Virus Issue :wordpress-6.6.1.zip shows a virus from windows defender

How WooCommerce Plans To Boost Developers & Merchants via @sejournal, @martinibuster

WooCommerce announced their roadmap for the future of WooCommerce, emphasizing two-way communication with the developer ecosystem in order to be responsive to their needs which further the goals of improving the experience for developers, merchants and customers.

WooCommerce highlighted seven important areas for innovation and six specific areas that are targeted for enhancements that will improve developer and merchant experience.

1. Stronger WooCommerce And Developer Communication

WooCommerce recently launched a newsletter that seeks to keep developers in the look with the latest WooCommerce news, offering early previews of new features, plus tutorials and other information that will keep the community in the loop.

The announcement explains three benefits of the newsletter:

1. “Exclusive Insights:
   Gain access to behind-the-scenes knowledge and tips that can elevate your development game.
2. Latest Content:
   Engage with newly published blog posts and documentation, showcasing our latest releases, resources, advisories, and more.
3. Feature Updates and Announcements:
   Keep your projects current by receiving the latest updates on new features and essential changes in WooCommerce.”

2. Upgrading The WooCommerce Blog and Documentation

Another area of improvement that relates to communication is to emphasizing the official WooCommerce blog as a reliable source of information that’s important to developers.

WooCommerce is also committing to improving their documentation with more guides, step-by-step tutorials, best practices and also making it easier to navigate and find needed information.

The roadmap explains:

“Our goal is to fill crucial knowledge gaps in areas such as extensibility, block development, and theme customization, empowering developers to start and thrive on our platform.

This is a welcome news for developers. One person commented on X (formerly Twitter):

“Coincidentally, I saw this immediately after reading my developers’ frustrations about the documentation for the new product editor in our internal discussions – so it’s good to see that improving this is on the roadmap.

Specifically, we have several plugins which add functionality to the ‘Edit Product’ screen, so we need to integrate them with the new product editor. My developers are finding this unnecessarily difficult because:

– The developer information about each feature is scattered throughout multiple news articles when it should be collated in one location.

– The links to the GitHub discussions about the new Product Editor in the “Roadmap Insights” articles point to the WooCommerce Product Block Editor discussion category (which doesn’t exist anymore) instead of the new WooCommerce New Product Editor one.

– We’re reluctant to update our plugins that integrate with the variations editor because the hooks and filters required for this extension are currently marked as experimental, so we might have to redo work if they change in future.

– We were expecting to see a timeline for the new product editor in January/February but this still isn’t clear, so we don’t know how heavily to prioritize the changes in our plugins.”

3. Improvements To REST API V3

Improvements to the REST API v3 are a top priority, with a focus on backward compatibility. They are also committing to reducing the backlog of issues and new feature requests plus improving API performance.

They also said they would focus on:

“…upgrading API documentation, error handling, and debugging capabilities.”

4. Improve Feedback Loop on Extensibility

A feedback loop is the communication between WooCommerce and the developers who use it, with the goal of improvement being a collaboration that results in a superior product that better serves developer and merchant needs.

Extensibility refers to the flexibility of WooCommerce to be extended and adapted, which is an important benefit of WooCommerce. Thus, one of the “destinations” in the WooCommerce roadmap is to make sure that it is adaptable and easily molded by developers.

Communication between developers and WooCommerce is a key part of maintaining and improving the extensibility of WooCommerce.

WooCommerce commented:

“As we make new features the default experience, we are working to create space for collaboration with our developer community in order to refine these features, incorporate feedback, and gradually move towards full adoption.

In the past year, we have begun using GitHub Discussions, Developer Office Hours, and other sources of feedback to shape and prioritize extensibility points in particular. This iterative process not only enhances the platform but also strengthens the ecosystem, making WooCommerce a more robust solution for everyone.”

5. WooCommerce Is Committed To A Block-Based Future

WooCommerce committed to a 100% block-based feature development in late 2023 as part of a vision of making WooCommerce easier to use for non-coders. A second motivation is to create a more adaptable shopping platform to build upon. As part of this commitment WooCommerce is signaling that now is the time to stop relying with older solutions like shortcodes and legacy APIs.

The statement read:

“If your solutions are still relying on shortcodes or other legacy APIs, it’s time to embrace blocks and modernize your approach.”

WooCommerce announced steps they are taking to bridge the transition to a fully block-based development platform:

• Adding more resources to the WooCommerce Developer Documentation
• Increased frequency of communication on the WooCommerce blog
• More posts to introduce new features tutorials for how to use them
• A renewed focus on creating video tutorials

6. Streamlined onboarding:

WooCommerce is focusing on further simplifying the process of setting up a store and getting online faster. They are also improving the workflow for developers who set up stores for merchants. They said that their experience from simplifying the setup process was an approximately 60% increase in completion rates.

7. Modern Store Customization

Another focus is on being able to integrate the customization options available to WordPress in general but WooCommerce is also looking into creating fully optimized commerce-based themes that are specific to WooCommerce.

They write:

“While we’re ensuring compatibility with all block-based themes in the WordPress ecosystem, we’re also exploring what it would look like to provide our own fully block-based, commerce-optimized theme out of the box.”

Six Specific Areas For Future Improvements

1. Flexible product management
2. Optimized order management and fulfillment
3. Revamping merchant analytics
4. Accessible stores
5. Evolving checkout experience
6. Better integration of order confirmation with summary and shipping information

WooCommerce Roadmap Leans In On Community

The Roadmap outlined by WooCommerce recognizes that the user community is its strength, thus it’s focused on building a stronger product based on what developers need to provide merchants with the ecommerce experience merchants expect. Focusing on creating more documentation and videos shows that WooCommerce is engaging to support the WordPress developer community and intends to remain the leading ecommerce platform.

Read the WooCommerce roadmap announcement:

WooCommerce in 2024 and beyond: Roadmap update

Featured Image by Shutterstock/Luis Molinero

WordPress Releases 6.6.1 To Fix Fatal Errors In 6.6 via @sejournal, @martinibuster

A week after releasing the troubled version 6.6, WordPress has released another version that fixes seven major issues including two that caused fatal errors (website crashes), another issue that caused a security plugins to issue false warnings plus several more that created unwanted UI changes.

Fatal Errors In WordPress 6.6

The one issue that got a lot of attention on social media is one that affected users of certain page builders and themes like Divi. The issue, while relatively minor, dramatically changed the look of websites by introducing underlines beneath all links. Some on social media joked that this was a fix and not a bug. While it’s a generally a good user practice to have underlines beneath links, underline aren’t necessary in all links, like in the top-level navigation.

A post on the WordPress.org support forums was the first noticeable indications in social media that something was wrong with WordPress 6.6:

“Updating to 6.6 caused all links to be immediately underlined on a staging divi themed site.”

They outlined a workaround that seemed to alleviate the issue but they were unsure about what the root cause of the problem was.

They then posted:

“But does anyone think this means I still have something wrong with this staging site, or is this a WordPress version update issue, or more likely a divi theme issue I should speak to them about? Also, if anyone is even familiar with expected Rparen error…that I’m just riding with at the moment, that might help. Thanks.”

Divi issued an emergency fix for that their users could apply even though the issue was on the WordPress side, not on the Divi side.

WordPress later acknowledged the bug and reported that they will be issuing a fix in version 6.6.1.

The Other Issues Fixed In 6.6.1

Fatal Error

is_utf8_charset() undefined when called by code in compat.php (causes a fatal error).

A section of code in 6.6 caused a critical issue (fatal error) that prevents the website from functioning normally. It was noticed by users of WP Super Cache. WP Super Cache developed a temporary workaround that consisted of completely disabling the website caching.

Their notation in GitHub stated:

“Disabling the cache removes the error but is far from ideal.”

Php Fatal Error

“PHP Fatal error: Uncaught Error: Object of class WP_Comment could not be converted to string.”

There was a problem with a part of the WordPress code where one part was trying to get the name of the person who left a comment on a post. This part of the program was supposed to receive a number (the comment ID) but sometimes it was getting a more complex piece of information instead (a WP_Comment object) which then triggered a PHP “fatal error.” An analogy might be like trying to fit a square peg into a round hole, it doesn’t work.

This issue was discovered by someone who was using the Divi website builder.

The other bugs that are fixed didn’t cause websites to crash but they were inconvenient:

Read the full details of WordPress 6.6.1 maintenance release:

WordPress 6.6.1 Maintenance Release

Featured Image by Shutterstock/HBRH

WordPress Nested Pages Plugin High Severity Vulnerability via @sejournal, @martinibuster

The U.S. National Vulnerability Database (NVD) and Wordfence published a security advisory of a high severity Cross Site Request Forgery (CSRF) vulnerability affecting the Nested Pages WordPress plugin affecting up to +100,000 installations. The vulnerability received a Common Vulnerability Scoring System (CVSS) rating of 8.8 on a scale of 1 – 10, with ten representing the highest level severity.

Cross Site Request Forgery (CSRF)

The Cross Site Request Forgery (CSRF) is a type of attack that takes advantage of a security flaw in the Nested Pages plugin that allows unauthenticated attackers to call (execute) PHP files, which are the code level files of WordPress.

There is a missing or incorrect nonce validation, which is a common security feature used in WordPress plugins to secure forms and URLs. A second flaw in the plugin is a missing security feature called sanitization. Sanitization is a method of securing data that’s input or output which is also common to WordPress plugins but in this case is missing.

According to Wordfence:

“This is due to missing or incorrect nonce validation on the ‘settingsPage’ function and missing santization of the ‘tab’ parameter.”

The CSRF attack relies on getting a signed in WordPress user (like an Administrator) to click a link which in turn allows the attacker to complete the attack. This vulnerability is rated 8.8 which makes it a high severity threat. To put that into perspective, a score of 8.9 is a critical level threat which is an even higher level. So at 8.8 it is just short of a critical level threat.

This vulnerability affects all versions of the Nested Pages plugin up to and including version 3.2.7. The developers of the plugin released a security fix in version 3.2.8 and responsibly published the details of the security update in their changelog.

The official changelog documents the security fix:

“Security update addressing CSRF issue in plugin settings”

Read the advisory at Wordfence:

Nested Pages <= 3.2.7 – Cross-Site Request Forgery to Local File Inclusion

Read the advisory at the NVD:

CVE-2024-5943 Detail

Featured Image by Shutterstock/Dean Drobot

WordPress Takes Bite Out Of Plugin Attacks via @sejournal, @martinibuster

WordPress announced over the weekend that they were pausing plugin updates and initiating a force reset on plugin author passwords in order to prevent additional website compromises due to the ongoing Supply Chain Attack on WordPress plugins.

Supply Chain Attack

Hackers have been attacking plugins directly at the source using password credentials exposed in previous data breaches (unrelated to WordPress itself). The hackers are looking for compromised credentials used by plugin authors who use the same passwords across multiple websites (including passwords exposed in a previous data breach).

WordPress Takes Action To Block Attacks

Some plugins have been compromised by the WordPress community has rallied to clamp down on further plugin compromises by instituting a forced password reset and encouraging plugin authors to use 2 factor authentication.

WordPress also temporarily blocked all new plugin updates at the source unless they received team approval in order to make sure that a plugin is not being updated with malicious backdoors. By Monday WordPress updated their post to confirm that plugin releases are no longer paused.

The WordPress announcement on the forced password reset:

“We have begun to force reset passwords for all plugin authors, as well as other users whose information was found by security researchers in data breaches. This will affect some users’ ability to interact with WordPress.org or perform commits until their password is reset.

You will receive an email from the Plugin Directory when it is time for you to reset your password. There is no need to take action before you’re notified.”

A discussion in the comments section between a WordPress community member and the author of the announcement revealed that WordPress did not directly contact plugin authors who were identified as using “recycled” passwords because there was evidence that the list of users found in the data breach list whose credentials were in fact safe (false positives). WordPress also discovered that some accounts that were assumed to be safe were in fact compromised (false negatives). That is what led to to the current action of forcing password resets.

Francisco Torres of WordPress answered:

“You’re right that specifically reaching out to those individuals mentioning that their data has been found in data breaches will make them even more sensitive, but unfortunately as I’ve already mentioned that might be inaccurate for some users and there will be others that are missing. What we’ve done since the beginning of this issue is to individually notify those users that we’re certain have been compromised.”

Read the official WordPress announcement:

Password Reset Required for Plugin Authors

Featured Image by Shutterstock/Aleutie

WordPress Plugin Supply Chain Attacks Escalate via @sejournal, @martinibuster

WordPress plugins continue to be under attack by hackers using stolen credentials (from other data breaches) to gain direct access to plugin code.  What makes these attacks of particular concern is that these supply chain attacks can sneak in because the compromise appears to users as plugins with a normal update.

Supply Chain Attack

The most common vulnerability is when a software flaw allows an attacker to inject malicious code or to launch some other kind of attack, the flaw is in the code. But a supply chain attack is when the software itself or a component of that software (like a third party script used within the software) is directly altered with malicious code. This creates the situation where the software itself is delivering the malicious files.

The United States Cybersecurity and Infrastructure Security Agency (CISA) defines a supply chain attack (PDF):

“A software supply chain attack occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. The compromised software then compromises the customer’s data or system.

Newly acquired software may be compromised from the outset, or a compromise may occur through other means like a patch or hotfix. In these cases, the compromise still occurs prior to the patch or hotfix entering the customer’s network. These types of attacks affect all users of the compromised software and can have widespread consequences for government, critical infrastructure, and private sector software customers.”

For this specific attack on WordPress plugins, the attackers are using stolen password credentials to gain access to developer accounts that have direct access to plugin code to add malicious code to the plugins in order to create administrator level user accounts at every website that uses the compromised WordPress plugins.

Today, Wordfence announced that additional WordPress plugins have been identified as having been compromised. It may very well be the case that there will be more plugins that are or will be compromised. So it’s good to understand what is going on and to be proactive about protecting sites under your control.

More WordPress Plugins Attacked

Wordfence issued an advisory that more plugins were compromised, including a highly popular podcasting plugin called PowerPress Podcasting plugin by Blubrry.

These are the newly discovered compromised plugins announced by Wordfence:

• WP Server Health Stats (wp-server-stats): 1.7.6
  Patched Version: 1.7.8
  10,000 active installations
• Ad Invalid Click Protector (AICP) (ad-invalid-click-protector): 1.2.9
  Patched Version: 1.2.10
  30,000+ active installations
• PowerPress Podcasting plugin by Blubrry (powerpress): 11.9.3 – 11.9.4
  Patched Version: 11.9.6
  40,000+ active installations
• Latest Infection – Seo Optimized Images (seo-optimized-images): 2.1.2
  Patched Version: 2.1.4
  10,000+ active installations
• Latest Infection – Pods – Custom Content Types and Fields (pods): 3.2.2
  Patched Version: No patched version needed currently.
  100,000+ active installations
• Latest Infection – Twenty20 Image Before-After (twenty20): 1.6.2, 1.6.3, 1.5.4
  Patched Version: No patched version needed currently.
  20,000+ active installations

These are the first group of compromised plugins:

• Social Warfare
• Blaze Widget
• Wrapper Link Element
• Contact Form 7 Multi-Step Addon
• Simply Show Hooks

More information about the WordPress Plugin Supply Chain Attack here.

What To Do If Using A Compromised Plugin

Some of the plugins have been updated to fix the problem, but not all of them. Regardless of whether the compromised plugin has been patched to remove the malicious code and the developer password updated, site owners should check their database to make sure there are no rogue admin accounts that have been added to the WordPress website.

The attack creates administrator accounts with the user names of “Options” or “PluginAuth” so those are the user names to watch for. However, it’s probably a good idea to look for any new admin level user accounts that are unrecognized in case the attack has evolved and the hackers are using different administrator accounts.

Site owners that use the Wordfence free or Pro version of the Wordfence WordPress security plugin are notified if there’s a discovery of a compromised plugin. Pro level users of the plugin receive malware signatures for immediately detecting infected plugins.

The official Wordfence warning announcement about these new infected plugins advises:

“If you have any of these plugins installed, you should consider your installation compromised and immediately go into incident response mode. We recommend checking your WordPress administrative user accounts and deleting any that are unauthorized, along with running a complete malware scan with the Wordfence plugin or Wordfence CLI and removing any malicious code.

Wordfence Premium, Care, and Response users, as well as paid Wordfence CLI users, have malware signatures to detect this malware. Wordfence free users will receive the same detection after a 30 day delay on July 25th, 2024. If you are running a malicious version of one of the plugins, you will be notified by the Wordfence Vulnerability Scanner that you have a vulnerability on your site and you should update the plugin where available or remove it as soon as possible.”

Read more:

WordPress Plugins Compromised At The Source – Supply Chain Attack

3 More Plugins Infected in WordPress.org Supply Chain Attack Due to Compromised Developer Passwords

Featured Image by Shutterstock/Moksha Labs