WordPress Announces Bluehost Managed Cloud Hosting via @sejournal, @martinibuster

WordPress.com and Bluehost announced a new managed WordPress cloud hosting solution that offers optimized WordPress performance features unavailable to traditional shared, VPN and dedicated hosting environments. The new managed WordPress cloud service handles virtually all of the technical details for maintaining a fast and secure website with 100% uptime.

Managed WordPress Hosting

Managed WordPress hosting is a type of hosting that are optimized for WordPress websites with built-in security and tools for small businesses, developers and agencies.

What’s different about the new Bluehost and WordPress.com hosting is that it brings all of the managed WordPress optimizations to a cloud hosted platform which brings a higher level of performance and scaling that exceeds traditional shared, VPS and dedicated hosting environments.

Managed WordPress Cloud Hosting

The new cloud hosting infrastructure offers built-in security, DDOS protection, CDN and scaling that virtually assures that the site will always be available at the fastest speeds possible.

Managed cloud hosting is basically hosting on a network of servers at a datacenter and can be as large as a global network of datacenters, which offers benefits not available in other hosting environments.

A shared hosting environment is one server that is hosting thousands of websites. Shared hosting is cheaper but their performance levels are generally at the lowest levels.

A Virtual Private Server (VPS) is generally a hosting environment that operates like a dedicated server that is shared with a limited number of other virtual servers on one machine. These offer a high level of performance but they don’t offer the benefits of managed WordPress hosting because it falls on the hosting subscriber to DIY the security and other requirements of hosting.

A dedicated server is one machine that is under control of one publisher. The word “control” is the key to dedicated hosting because a dedicated server offers complete control over the server. It takes technical knowledge to run a dedicated server but delivers incredibly fast and responsive websites.

The cloud hosting environment offers hosting across multiple machines in a datacenter, which is essentially why it’s called a cloud. Unlike other cloud providers, the Bluehost managed WordPress cloud environment is based on a global infrastructure.

According to Bluehost:

“Bluehost Cloud is built and supported by top-tier WordPress experts and powered by a redundant global server infrastructure.

… This platform is built on a scalable, multi-regional fault-tolerant infrastructure, ensuring 100% network uptime and allowing for seamless scaling according to traffic demands.”

Who Bluehost WordPress Managed Cloud Is For

The Bluehost WordPress Cloud hosting environment is meant for publishers and stores that are serious about their business and demand dependable uptime, the highest levels of performance and thoroughly locked down security.

Prices start at $79.99/month and go up to $299/month (early access prices are up to 56% off). The difference between each plan is the amount of virtual centralized processing units (vCPU) and SSD storage space that is allocated. The lowest tier cloud hosting is perfect for one site and the higher priced versions are optimized for hosting multiple sites or one site with a lot of traffic.

Read the announcement on Bluehost.com

Unmatched power, speed, & control with WordPress cloud hosting

Read the announcement at WordPress.com:

WP Cloud Is Powering the Future of WordPress

Featured Image by Shutterstock/file404

WordPress Site Builder Closes – Devs Forced To Rebuild Client Sites via @sejournal, @martinibuster

The Cwicly WordPress website builder toolkit announced that they are shutting down by the end of the year and refunding all 2024 clients. The decision forced developers to halt current projects and begin the process of migrating client websites to other WordPress site builder platforms.

It is an unexpected end to what was regarded as an innovative product that was considered as a promising toolkit for creating high performance websites on top of the native Gutenberg full site editor. But also some criticism.

An email sent by Cwicly to their customers was republished in the Dynamic WordPress Facebook Group.

The email says in part:

“After much deliberation and soul-searching, I have made the difficult decision to discontinue the development of the Cwicly plugin. This decision has been deeply influenced by recent events that have profoundly affected both me personally and the team.

Unfortunately, the relentless onslaught of destructive posts and comments by certain WordPress influencers has created an atmosphere that has made it increasingly challenging for us to continue with our vision for Cwicly.

Since the launch of Cwicly, not only have we had to build our product but have suffered the constant undermining of our choice to embrace the WordPress vision in Gutenberg. In addition, personal attacks on both myself and team members have been made and openly tolerated throughout.

The negativity and hostility directed towards Cwicly, especially in comparison to other page builders, have taken a significant toll on our morale and motivation.”

Brenda Malone (LinkedIn), a freelance web developer and search marketing expert, commented that this might create a chill in new web development tools if the Cwicly event causes developers to lose trust in new companies and stick with the current trusted ones.

She said:

“It is setting a bad precedent–who will trust small software development shops again?

This is awful for the developers who will have to rebuild client sites. What a mess, indeed.”

Cwicly And Gutenberg

Unlike other platforms, Cwicly was built to work with Gutenberg, adding developer-friendly options that extended the possibilities of what was possible from using just the Gutenberg full site editor.

One of the innovations that helped to create a buzz around Cwicly was the integration of Tailwind, an open source CSS framework that helps speed up site development. But the Tailwind integration was also a source of criticism because it was a partial implementation that was planned to roll out in stages with more features planned for the near future.

A quality that many loved about Cwicly is that it’s basically a blank slate that can be developed upon without the burden of having to deal with the extra code imposed by some page builders. That same plus was also seen by others as negative because it was perceived by some to present an additional hurdle to creating a website fast.

It could be seen then that for every step forward there was also the perception that there was another step back. Despite the developer-friendly innovations that help create a buzz around Cwicly there was also a sense that it wasn’t fully finished and for whatever reason it just didn’t catch on as quickly as other professional page builders like Bricks Builder and Breakdance.

David McCan, an early supporter of Cwicly who regarded it as “cutting edge” recently wrote an article discussing a peculiar reticence in the developer community to commit to Cwicly.

He wrote:

“With that long list of amazing features, why isn’t Cwicly more popular? Why aren’t more people using it? Why is it still something that a lot of people are watching, but they haven’t committed to? This paradox is what I’m calling the Cwicly Conundrum. People are interested in Cwicly and watching it, but they haven’t necessarily fully embraced it.”

What WordPress Developers Are Saying

Adam J. Humphreys (LinkedIn) of web development and SEO company Making 8 suggested possible next steps.

He commented to SEJ:

“I recommend users switch over to Bricks Builder asap to avoid further security escalations.

Bricks builder embraces both extra features for purists and a simple interface for new users. It’s something one can build a design career around. That’s why Bricks has picked up so much momentum. The community surrounding software is what makes all the difference. Keeping the community involved and integrated is what makes a platform strong.”

Reaction On Reddit

The reaction on Reddit was polarized with some expressing a certain amount of understanding while others felt it was a bad move.

One Redditor wrote:

“As a current paying member, a few minutes ago I got an email from Louis mentioning the discontinuation of Cwicly due to the hostility of some WordPress influencers and constant criticism.

Now, this has put me, and I imagine many others, in a very precarious situation. I’m halfway through rebuilding our 5 websites that were going to launch this month. Obviously I’m not going to do that now, since I’d have to redo them in a few months when Cwicly stops working altogether.”

Another Redditor responded:

“We are leaving with your money because some random people said they did not like us. What a lame excuse to scam buyers….”

Others were more sympathetic, pointing out that Cwicly was refunding all fees paid by users in 2024.  Others expressed their disappointment in having purchased a license for Cwicly with the expectation of it being around and now they are forced to redo websites built with Cwicly because once development stops there will no longer be any more updates to make  it compatible with future upgrades to PHP and the WordPress core, including security updates. What that means is that any site still using Cwicly in the future may be prone to no longer function as the WordPress core evolves to take advantage of new PHP versions not to mention the inability to upgraded to newer versions of WordPress due to inevitable incompatibilities.

Sunsetting Of Cwicly

The sunsetting of the Cwicly by the end of 2024 illustrates the challenges of innovating a product, particularly in a marketplace that has many active competitors with full-featured products. Any shortcomings are bound to be noticed and amplified by social media which in this case resulted in a demoralizing effect.

Featured image by Shutterstock/photosince

Bricks Builder For WordPress RCE Vulnerability via @sejournal, @martinibuster

Bricks Visual Site Builder for WordPress recently patched a critical severity vulnerability rated 9.8/10 which is actively being exploited right now.

Bricks Builder

Bricks Builder is a popular WordPress development theme that makes it easy to create attractive and fast performing websites in hours that would costs up to $20,000 of development time to do from scratch without it. Ease of use and developer components for CSS have made it a popular choice for developers.

Unauthenticated RCE Vulnerability

Bricks Builder is affected by a remote code execution (RCE) vulnerability. It’s rated 9.8/10 on the Common Vulnerability Scoring System (CVSS), which is nearly the highest level.

What makes this vulnerability particularly bad is that it’s an unauthenticated vulnerability which means that a hacker doesn’t need to attain permission credentials to exploit the vulnerability. Any hacker who knows of the vulnerability can exploit it, which in this case means an attacker can execute code.

Wordfence describes what can happen:

“This makes it possible for unauthenticated attackers to execute code on the server.”

The details of the vulnerability have not been officially published.

According to the official Bricks Builder changelog:

“We just released a mandatory security update with Bricks 1.9.6.1.

A leading security expert in the WordPress space just brought this vulnerability to our attention, and we instantly got to work, providing you now with a verified patch.

As of the time of this release, there’s no evidence that this vulnerability has been exploited. However, the potential for exploitation increases the longer the update to 1.9.6.1 is delayed.

We advise you to update all your Bricks sites immediately.”

Vulnerability Is Being Actively Exploited

According to Adam J. Humphreys (LinkedIn), founder of the web development company Making 8, the vulnerability is actively being exploited. The Bricks Builder Facebook community is said to be responding to affected users with information on how to recover from the vulnerability.

Adam J. Humphrey’s commented to SEJ:

“Everyone is getting hit bad. People on hosts without good security got exploited. A lot of people are dealing with it now. It’s a bloodbath and it’s the number one rated builder.

I have strong security. I’m so glad that I’m very protective of clients. It all seemed overkill until this.

People on hosts without good security got exploited.

SiteGround when installed has WordPress security. They also have a CDN and easy migrations with their plugin. I’ve found their support more responsive than the most expensive hosts. The WordPress security plugin at SiteGround is good but I also combine this with Wordfence because protection never hurts.”

Recommendations:

All Bricks Builder users are encouraged to update to the latest version, 1.9.6.1.

The Bricks Builder changelog announcement advises:

“Update Now: Update all your Bricks sites to the latest Bricks 1.9.6.1 as soon as possible. But at least within the next 24 hours. The earlier, the better.

Backup Caution: If you use website backups, remember they may include an older, vulnerable version of Bricks. Restoring from these backups can reintroduce the vulnerability. Please update your backups with the secure 1.9.6.1 version.”

This is a developing event, more information will be added when known.

WordPress User Survey Indicates Rising Frustration via @sejournal, @martinibuster

WordPress released the results of their annual user and developer survey which showed mixed feelings about the direction the software is going and an increasing sense of not being welcome in the overall WordPress community.

The Gutenberg Editor

Gutenberg is the modernized version of the the default site editor which brings the paradigm of a visual editor to the WordPress core.

Third party visual WordPress editors have revolutionized the process of building websites with WordPress, making it relatively easy to create websites with intuitive interfaces.

That was the goal behind Gutenberg, which introduced the full site editor in 2022. The WordPress core development team have spent the last two years making incremental improvements to the user interface to make it more intuitive as well as adding more features.

What was reflected in the 2023 annual survey, especially in contrast the previous year, is a sense that users are feeling less confidence in Gutenberg, even though more publishers are using Gutenberg now than at any other time.

Which Editor Do You Use?

Question nine tracks the percentage of users adopting Gutenberg, showing a steady increase of users from 37% in 2020 to 60% in 2023.

But according to the answers to question 10 that asks whether WordPress needs their needs, 29% disagree that WordPress meets their needs and less than half of users (45%) agreed that WordPress met their needs. A full 26% of respondents answered that they were neutral.

Those results mean that 55% of WordPress users did not answer that WordPress meets their needs. This was the first year the question was asked so there’s no data to show whether that’s an increase or a decrease but it’s still an underwhelming result.

Less Users Believe WordPress As Good As Others

Question #19 asked if WordPress was as good as or better than other site builders and content management systems.

In 2022 68% of users agreed that WordPress was as good as or better. That number dropped to 63% in 2023.

The number of users who disagreed that WordPress is as good as or better increased from 9% in 2022 to 13% in 2023 and the number of people who were neutral increased by 1% to 24% of respondents.

That means that in 2023 37% of WordPress users responding to the survey did not agree with the statement that WordPress is as good as or better, an increase by five percentage points from the previous year.

Clearly the results about how users feel about Gutenberg and WordPress in general indicate that users are losing confidence in WordPress.

That response must surely be a disappointment to the core development team because the 2023 version of Gutenberg is actually more intuitive to use than it has ever been the WordPress performance scores are also at all-time highs.

So what’s going on, why is are user satisfaction signals trending downwards?

Why User Satisfaction Is Trending Downward

A clue as to why user happiness and confidence in WordPress is trending downward may have something to do with users looking over the fence at the Wix and Duda platforms that boast significantly better performance scores and are also easier to build websites with.

On the other side of the fence are third-party website builders (like Bricks Builder, Breakdance Website Builder, and Elementor) and WordPress hosts (Bluehost) that offer an arguably superior website building experience for developers who need advanced flexibility and for users who don’t know how to code.

Perhaps a clue to why users satisfaction is dropping can be found in the answers for question 20 which asks what the three best things are about WordPress.

The biggest declines were for:

1. Ease of use
2. Flexibility
3. Cost
4. Block themes

Ease Of Use
In 2022 32% of users cited Ease Of Use as one of the three best things about WordPress. In 2023 that number dropped to 21.7%

Flexibility
Flexibility ranked 31% in 2022 but by 2023 that ranking dropped to 18.5%.

Cost
In 2022 37% of users cited Cost as one of the best things but by 2023 that number collapsed to 17%.

Block Themes
Block Themes went from 10% citing block themes as one of the three best things to only 5.3% in 2023.

Users aren’t feeling it for WordPress and that lack of “feels” is reflected in the market share statistics reported by W3Techs that indicate a two year negative downward trend in market share.

Market share dropped from 43.3% in 2022 (cited in an article by Joost deValk) and (according to W3Techs) it dropped further to 43.2% February 2023 and from there it dropped further 43.1% in February 2024.

Wix usage increased from 2.5% in February 2023 to 2.6% in 2024. Shopify went from 3.8% in 2023 to 4.3% in 2023.

Joost deValk, co-founder of Yoast SEO sounded the alarm back in 2022 when he noted that WordPress market share was shrinking, pointing to the slow pace of performance improvements and the difficulty of using WordPress as two major reasons for the shrinking market share.

The article written by Joost explained:

“WordPress has a performance team now, and it has made some progress. But the reality is that it hasn’t really made big strides yet… I think WordPress, for the first time in a decade, is being out-‘innovated’.”

What Frustrates WordPress Users

Another clue as to why WordPress users are increasingly expressing dissatisfaction is what they feel most frustrated about WordPress, noted in question 21 where survey respondents were asked to choose the top three most frustrating things.

The answer of “too many plugins (finding the right one)” experienced a whopping 133% change, with 8% citing too many plugins in 2022 and 18.6% in 2023.

Site editing experience (17%), security (16.4%), and performance (16.2%) were top sources of frustration with WordPress.

One bright spot is that the number of respondents who were frustrated because site editing is difficult to learn dropped from 26% in 2022 to 15% in 2023.

Those answers were echoed in question 25 that asked which three areas of WordPress need more attention.

Here are the top five areas users say need more attention:

1. Performance 19%
2. Security 18%
3. Developer resources (examples, demos, docs, tutorials, etc.) 16%
4. Design/UI 14%
5. Core functionality/stability 13%

The Future Of WordPress

WordPress was at a crossroads two years ago with regards to site performance and they took steps to address those problems. But their competitors are “out-innovating” them by improving at a faster pace, not just in site speed but in ease of use, SEO and features.

The results of this survey provide clear direction to the WordPress community who have a history of being responsive to user needs. Part of the solution is acknowledging search marketing, affiliate and publishing communities who are influential but not recognized in the annual surveys.

When I saw the survey last year I offered the core development team feedback about question number five which asked how respondents used WordPress.

These were the choices:

• A personal or passion project
• A service offering for my clients
• A platform for running my business
• A website for my employer or place of work
• School or academics or research
• None of the above

What was missing were the categories of content publishing, affiliate marketing, recipe bloggers and local businesses.

Lumping WordPress users like Disney with family-run restaurants and recipe bloggers into the category of a “platform for running my business” is unhelpful and provides little actionable insights. That oversight feeds into the perception that WordPress is aloof to the millions of users that the survey seeks to understand.

The good news is that WordPress is not aloof. The survey provides feedback on how the publishing community feels. My email conversations with members of the core development team make it clear to me that they are keen to embrace all their users as part of the greater WordPress community.

Read the summary of the WordPress survey:

2023 Annual Survey Results and Next Steps

Download the PDF version with more details:

Report for 2023 WordPress Annual Survey

Featured Image by Shutterstock/Krakenimages.com

WordPress SiteOrigin Widgets Bundle Plugin Vulnerability Affects +600,000 Sites via @sejournal, @martinibuster

SiteOrigin Widgets Bundle WordPress plugin with over 600,000 installations patched an authenticated stored cross-site scripting (XSS) vulnerability that could allow attackers to upload arbitrary files and expose site visitors to malicious scripts.

SiteOrigin Widgets Bundle Plugin

The SiteOrigins Widgets plugin, with +600,000 active installations, provides a way to easily add a multitude of widget functions like sliders, carousels, maps, change the way blog posts are displayed, and other useful webpage elements.

Stored Cross-Site Scripting Vulnerability

A Cross-Site Scripting (XSS) vulnerability is a flaw allows a hacker to inject (upload) malicious scripts. In WordPress plugins, these kinds of vulnerabilities arise from flaws in how data that’s input is not properly sanitized (filtered for untrusted data) and also from improperly securing output data (called escaping data).

This particular XSS vulnerability is called a Stored XSS because the attacker is able to inject the malicious code to the server.  According to the non-profit Open Worldwide Application Security Project (OWASP), the ability to launch an attack directly from the website makes it particularly concerning.

OWASP describes the stored XSS threat:

“This type of exploit, known as Stored XSS, is particularly insidious because the indirection caused by the data store makes it more difficult to identify the threat and increases the possibility that the attack will affect multiple users. “

In an XSS attack, where a script has successfully been injected, the attacker sends a harmful script to an unsuspecting site visitor. The user’s browser, because it trusts the website, executes the file. This can allow the attacker to access cookies, session tokens, and other sensitive website data.

Vulnerability Description

The vulnerability arose because of flaws in sanitizing inputs and escaping data.

The WordPress developer page for security explains sanitization:

“Sanitizing input is the process of securing/cleaning/filtering input data. Validation is preferred over sanitization because validation is more specific. But when “more specific” isn’t possible, sanitization is the next best thing.”

Escaping data in a WordPress plugin is a security function that filters out unwanted output.

Both of those functions needed improvement in the SiteOrigins Widgets Bundle plugin.

Wordfence described the vulnerability:

“The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the onclick parameter in all versions up to, and including, 1.58.3 due to insufficient input sanitization and output escaping.”

This vulnerability requires authentication before it can be executed, which means the attacker needs at least a contributor level access in order to be able to launch an attack.

Recommended action:

The vulnerability was assigned a medium CVSS severity level, scoring 6.4/10. Plugin users should consider updating to the latest version, which is version 1.58.5, although the vulnerability was patched in version 1.58.4.

Read the Wordfence vulnerability advisory:

SiteOrigin Widgets Bundle <= 1.58.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

WordPress Website Builder Vulnerability Affects Nearly 1 Million Websites via @sejournal, @martinibuster

A significant vulnerability has been patched in the Website Builder by SeedProd that has over 900,000 installations. This vulnerability, present in versions up to and including 6.15.21, poses a risk for unauthorized data modification on WordPress sites.

Vulnerability Details: Missing Capability Check

The vulnerability that was discovered is called a missing capability check within the ‘seedprod_lite_new_lpage’ function.

Capabilities are specific actions that users or roles are allowed to perform. A capability check is an important security feature in WordPress for managing permissions and access controls. They determine if a user has the authority to perform specific action.

It’s similar to a role check in that a role check verifies the user’s role (like administrator, editor, etc.), while a capability check verifies whether the user has specific permissions. A capability check provides a more granular control over permissions compared to a role check.

The missing capability check allows unauthenticated attackers to potentially modify the content of various pages created using the plugin, such as coming-soon or maintenance pages. The absence of this security feature exposes websites to risks of data tampering.

Unauthorized Data Modification

Unauthorized modification of data is a serious security issue. It arises from a flaw where unauthorized individuals can alter data, leading to potential exploits. Addressing this kind of vulnerability in the Website Builder plugin is highly recommended.

Severity and Impact: High-Risk Exposure

The vulnerability is rated 8.2 out of a scale of 1- 10, with a severity rating classified as ‘High’ according to the Common Vulnerability Scoring System (CVSS). The high rating indicates how serious the potential impact is.

This vulnerability is so new that there is currently no entry in the National Vulnerability Database for the assigned CVE number CVE-2024-1072.

However, Wordfence WordPress security researchers emphasized the seriousness of the Website Builder by SeedProd vulnerability:

“This makes it possible for unauthenticated attackers to change the contents of coming-soon, maintenance pages, login and 404 pages set up with the plugin.”

Recommendation For Website Builder Plugin Users

The publisher of the Website Builder by SeedProd has responded by releasing an updated version, 6.15.22, which addresses this vulnerability. The update includes a security nonce to mitigate the risk, and users of the plugin are strongly advised to update immediately to secure their website against attacks.

Regarding the nonce, WordPress explains what it is:

A nonce is a “number used once” to help protect URLs and forms from certain types of misuse, malicious or otherwise.

…They help protect against several types of attacks…”

Read the announcement by Wordfence:

Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode <= 6.15.21 – Missing Authorization via seedprod_lite_new_lpag

Read the official SeedProd Changelog

Featured Image by Shutterstock/Nikulina Tatiana

WordPress 6.4.3 Security Release Fixes Two Vulnerabilities via @sejournal, @martinibuster

WordPress announced a security release version 6.4.3 as a response to two vulnerabilities discovered in WordPress plus 21 bug fixes.

PHP File Upload Bypass

The first patch is for a PHP File Upload Bypass Via Plugin Installer vulnerability. It’s a flaw in WordPress that allows an attacker to upload PHP files via the plugin and theme uploader. PHP is a scripting language that is used to generate HTML. PHP files can also be used to inject malware into a website.

However, this vulnerability is not as bad as it sounds because the attacker needs administrator level permissions in order to execute this attack.

PHP Object Injection Vulnerability

According to WordPress the second patch is for a Remote Code Execution POP Chains vulnerability which could allow an attacker to remotely execute code.

An RCE POP Chains vulnerability typically means that there’s a flaw that allows an attacker, typically through manipulating input that the WordPress site deserializes, to execute arbitrary code on the server.

Deserialization is the process where data is converted into a serialized format (like a text string) deserialization is the part when it’s converted back into its original form.

Wordfence describes this vulnerability as a PHP Object Injection vulnerability and doesn’t mention the RCE POP Chains part.

This is how Wordfence describes the second WordPress vulnerability:

“The second patch addresses the way that options are stored – it first sanitizes them before checking the data type of the option – arrays and objects are serialized, as well as already serialized data, which is serialized again. While this already happens when options are updated, it was not performed during site installation, initialization, or upgrade.”

This is also a low threat vulnerability in that an attacker would need administrator level permissions to launch a successful attack.

Nevertheless, the official WordPress announcement of the security and maintenance release recommends updating the WordPress installation:

“Because this is a security release, it is recommended that you update your sites immediately. Backports are also available for other major WordPress releases, 4.1 and later.”

Bug Fixes In WordPress Core

This release also fixes five bugs in the WordPress core:

1. Text isn’t highlighted when editing a page in latest Chrome Dev and Canary
2. Update default PHP version used in local Docker Environment for older branches
3. wp-login.php: login messages/errors
4. Deprecated print_emoji_styles produced during embed
5. Attachment pages are only disabled for users that are logged in

In addition to the above five fixes to the Core there are an additional 16 bug fixes to the Block Editor.

Read the official WordPress Security and Maintenance Release announcement

WordPress descriptions of each of the 21 bug fixes

The Wordfence description of the vulnerabilities:

The WordPress 6.4.3 Security Update – What You Need to Know

Featured Image by Shutterstock/Roman Samborskyi

Better Search Replace WordPress Vulnerability Affects Up To +1 Million Sites via @sejournal, @martinibuster

A critical severity vulnerability was discovered and patched in the Better Search Replace plugin for WordPress which has over 1 million active website installs. Successful attacks could lead to arbitrary file deletions, sensitive data retrieval and code execution.

Severity Level Of Vulnerability

The severity of vulnerabilities are scored on a point system with ratings described as ranging from low to critical:

• Low 0.1-3.9
• Medium 4.0-6.9
• High 7.0-8.9
• Critical 9.0-10.0

The severity of the vulnerability discovered in the Better Search Replace plugin is rated as Critical, which is the highest level, with a score of 9.8 on the severity scale of 1-10.

Illustration by Wordfence

Better Search Replace WordPress Plugin

The plugin is developed by WP Engine but it was originally created by the Delicious Brains development company that was acquired by WP Engine. Better Search Replace is a poplar WordPress tool that simplifies and automates the process of running a search and replace task on a WordPress website database, which is useful in a site or server migration task. The plugin comes in a free and paid Pro version.

The plugin website lists the following features of the free version:

• “Serialization support for all tables
• The ability to select specific tables
• The ability to run a “dry run” to see how many fields will be updated
• No server requirements aside from a running installation of WordPress
• WordPress Multisite support”

The paid Pro version has additional features such as the ability to track what was changed, ability to backup and import the database while the plugin is running, and extended support.

The plugin’s popularity is due to the ease of use, usefulness and a history of being a trustworthy plugin.

PHP Object Injection Vulnerability

A PHP Object Injection vulnerability, in the context of WordPress, occurs when a user-supplied input is unsafely unserialized. Unserialization is a process where string representations of objects are converted back into PHP objects.

The non-profit Open Worldwide Application Security Project (OWASP) offers a general description of the PHP Object Injection vulnerability:

“PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context.

The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.

In order to successfully exploit a PHP Object Injection vulnerability two conditions must be met:

• The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be used to carry out malicious attacks, or to start a ‘POP chain’.
• All of the classes used during the attack must be declared when the vulnerable unserialize() is being called, otherwise object autoloading must be supported for such classes.”

If an attacker can upload (inject) an input to include a serialized object of their choosing, they can potentially execute arbitrary code or compromise the website’s security. As mentioned above, this type of vulnerability usually arises due to inadequate sanitization of user inputs. Sanitization is a standard process of vetting input data so that only expected types of input are allowed and unsafe inputs are rejected and blocked.

In the case of the Better Search Replace plugin, the vulnerability was exposed in the way it handled deserialization during search and replace operations. A critical security feature missing in this scenario was a POP chain – a series of linked classes and functions that an attacker can use to trigger malicious actions when an object is unserialized.

While the Better Search Replace plugin did not contain such a chain, but the risk remained that if another plugin or theme installed on the same website contained a POP chain that it could then allow an attacker to launch attacks.

Wordfence describes the vulnerability:

“The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input.
This makes it possible for unauthenticated attackers to inject a PHP Object.

No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.”

In response to this discovery, WP Engine promptly addressed the issue. The changelog entry for the update to version 1.4.5, released on January 18, 2024, highlights the measures taken:

“Security: Unserializing an object during search and replace operations now passes ‘allowed_classes’ => false to avoid instantiating the object and potentially running malicious code stored in the database.”

This update came after Wordfence’s responsible disclosure of the vulnerability on December 18, 2023, which was followed by WP Engine’s development and testing of the fix.

What To Do In Response

Users of the Better Search Replace plugin are urged to update to the latest version immediately to protect their websites from unwanted activities.