Rank Math WordPress SEO Plugin Vulnerability Affects +2 Million Sites via @sejournal, @martinibuster

Rank Math SEO plugin with over 2+ million users recently patched a Stored Cross-Site Scripting vulnerability that makes it possible for attackers to upload malicious scripts and launch attacks.

Rank Math SEO Plugin

Rank Math is a popular SEO plugin that’s installed in over 2 million websites. It has an incredible array of functions that ranges from keyword tracking, Schema.org structured data integration, Google Search Console and Analytics integration, a redirect manager and other features that make it unnecessary to use other plugins for technical or on-page SEO.

A popular feature that users appreciate is that it’s a modular plugin which means users can choose which features they require and turn off those that they don’t which can help make a website perform even faster.

Many turn to Rank Math as an alternative to Yoast. A comparison between the two shows that Rank Math is smaller (61.1k lines of code versus Yoast’s 97.1k lines) and uses less server resources (+0.35 MB of memory versus Yoast’s +1.62 MB).

Authenticated Stored Cross-Site Scripting

Wordfence WordPress security researchers published an advisory of a vulnerability in Rank Math SEO plugin that can lead to a stored Cross Site Scripting (XSS) vulnerability.

A stored XSS vulnerability allows an attacker to upload malicious scripts and attack browsers which can result in stealing a session cookies which enables unauthorized website access and compromising sensitive data.

Insufficient Input Sanitization And Output Escaping

The source of the vulnerability is due to insufficient input sanitization and output escaping. These are common reasons for an XSS vulnerabilities that occur in areas of plugins that allow users to upload or input data.

Sanitizing input data is like filtering out unwanted type of input like scripts or HTML where only text inputs are expected. Output escaping is a process that validates what’s output by the website to block unwanted output like malicious scripts from reaching a website browser.

Wordfence warned:

“The Rank Math SEO with AI SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HowTo block attributes in all versions up to, and including, 1.0.214 due to insufficient input sanitization and output escaping on user supplied attributes.

This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

Rank Math’s update changelog responsibly acknowledges what was changed in their plugin and the reason for the update. This transparency makes it possible for plugin users to understand the importance of a given update and to make an informed decision as to the urgency of the updated.

The changelog identifies the patched vulnerability:

“Improved: Strengthened the security of the plugin’s HowTo Block to prevent potential exploitation by users with post edit access. Thanks to [WordFence]
(https://www.wordfence.com/) for revealing it responsibly”

Read the official Wordfence advisory:

Rank Math SEO with AI SEO Tools <= 1.0.214 – Authenticated(Contributor+) Stored Cross-Site Scripting via HowTo block attributes

Featured Image by Shutterstock/Roman Samborskyi

WordPress Astra Theme Vulnerability Affects +1 Million Sites via @sejournal, @martinibuster

One of the World’s most popular WordPress themes quietly patched a security vulnerability over the weekend that security researchers say appears to have patch a stored XSS vulnerability.

The official Astra changelog offered this explanation of the security release:

“Enhanced Security: Our codebase has been strengthened to further protect your website.”

Their changelog, which documents changes to the code that’s included in every update, offers no information about what the vulnerability was or the severity of it.  Theme users thus can’t make an informed decision as to whether to update their theme as soon as possible or to conduct tests first before updating to insure that the updated theme is compatible with other plugins in use.

SEJ reached out to the Patchstack WordPress security company who verified that Astra may have patched a cross-site scripting vulnerability.

Brainstorm Force Astra WordPress Theme

Astra is one of the world’s most popular WordPress theme. It’s a free theme that’s relatively  lightweight, easy to use and results in professional looking websites. It even has Schema.org structured data integrated within it.

Cross-Site Scripting Vulnerability (XSS)

A cross-site scripting vulnerability is one of the most common type of vulnerabilities found on WordPress that generally arises within third party plugins and themes. It’s a vulnerability that occurs when there’s a way to input data but the plugin or theme doesn’t sufficiently filter what’s being input or output which can subsequently allow an attacker to upload a malicious payload.

This particular vulnerability is called a stored XSS. A stored XSS is so-called because it involves directly uploading the payload to the website server and stored.

The non-profit Open Worldwide Application Security Project (OWASP) website offers the following description of a stored XSS vulnerability:

“Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-II XSS.”

Patchstack Review Of Plugin

SEJ contacted Patchstack who promptly reviewed the changed files and identified a possible theme security issue in three WordPress functions. WordPress functions are code that can change how WordPress features behave such as changing how long an excerpt is. Functions can add customizations and introduce new features to a theme.

Patchstack explained their findings:

“I downloaded version 4.6.9 and 4.6.8 (free version) from the WordPress.org repository and checked the differences.

It seems that several functions have had a change made to them to escape the return value from the WordPress function get_the_author.

This function prints the “display_name” property of a user, which could contain something malicious to end up with a cross-site scripting vulnerability if printed directly without using any output escaping function.

The following functions have had this change made to them:

astra_archive_page_info
astra_post_author_name
astra_post_author

If, for example, a contributor wrote a post and this contributor changes their display name to contain a malicious payload, this malicious payload will be executed when a visitor visits that page with their malicious display name.”

Untrusted data in the context of XSS vulnerabilities in WordPress can happen where a user is able to input data.

These processes are called Sanitization, Validation, and Escaping, three ways of securing a WordPress website.

Sanitization can be said to be a process that filters input data. Validation is the process of checking what’s input to determine if it’s exactly what’s expected, like text instead of code. Escaping output makes sure that anything that’s output, such as user input or database content, is safe to display in the browser.

WordPress security company Patchstack identified changes to functions that escape data which in turn gives clues as to what the vulnerability is and how it was fixed.

Patchstack Security Advisory

It’s unknown whether a third party security researcher discovered the vulnerability or if Brainstorm, the makers of the Astra theme, discovered it themselves and patched it.

The official Patchstack advisory offered this information:

“An unknown person discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Astra Theme. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 4.6.9.”

Patchstack assessed the vulnerability as a medium threat and assigned it a score of 6.5 on a scale of 1 – 10.

Wordfence Security Advisory

Wordfence also just published a security advisory.  They analyzed the Astra files and concluded:

“The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via a user’s display name in all versions up to, and including, 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

It’s generally recommended that users of the theme update their installation but it’s also prudent to test whether the updated theme doesn’t cause errors before pushing it to a live website.

Featured Image by Shutterstock/GB_Art

WordPress Site Builder Plugin Accused Of Adding A “Backdoor” via @sejournal, @martinibuster

A widely used add-on plugin for a popular WordPress site builder installed an anti-piracy script that essentially unpublishes all posts. WordPress developers are livid, with some calling the script a malware, a backdoor,  and a violation of laws.

BricksUltimate Add-On For Bricks Builder

Bricks site builder is a site building platform for WordPress that is wildly popular with web developers who cite the intuitive user interface, the class-based CSS and the clean high performance HTML code it generates as features that elevate over many other site builders. What sets this site builder apart is that it’s created for developers who have advanced skills, which enables them to create virtually anything they want without having to fight against built-in code that’s created by typical drag and drop site builders that are meant for non-developers.

A benefit of the Bricks site builder is that there’s a community of third-party plugin developers that extends the power of Bricks to make it faster to add more website features.

BricksUltimate Addon for Bricks Builder is a third-party plugin that makes it easy to add features like breadcrumbs, animated menus, accordion menus, star ratings and other interactive on-page elements.

It is this plugin that has stirred up controversy in the WordPress developer community by adding anti-piracy elements that many in the WordPress community feel is a “very bad practice” and others referring to it as “malware”.

BricksUltimate Anti-Piracy Measures

What is causing the controversy appears to be a script that checks for a valid license. It is unclear exactly what is installed, but according to a developer who examined the plugin code there appears to be a script installed that is designed to hide all posts across the entire website if it detects a pirated copy of the plugin (more about this below).

The developer of the plugin, Chinmoy Kumar Paul, downplayed the controversy, writing that people are “overreacting”.

An ongoing discussion in the Dynamic WordPress Facebook group about the BricksUltimate anti-piracy measure has over 60 posts, with the overwhelming majority of posts objecting to the anti-piracy script.

Typical reactions in that discussion:

“…hiding a backdoor that reads the client database, is itself a breach of trust and shows malicious intent on the developer’s part.”

“I simply refuse to support or recommend any developer who thinks they have the right to secretly add a malicious payload to a piece of software. And then, once confronted defends it and sees no wrong. Absolutely not acceptable and I’m glad the community has clubbed together stating that such an approach should not be tolerated…”

“…the fact the code is there is terrible. I would not let any plugin with that sort of back door on any site, let alone anyone doing it for a client site. That spoils the plugin for me fully!”

“This dude here and his company could be easily reported and exposed to the The General Data Protection Regulation Authority (GDPR) in any EU country for injecting an undeclared “monitor” code that has a non authorized access to DB’s and actually behaves like malware!!!!!! is just unbelievable! “

One of the developers in the Dynamic WordPress Facebook community reported their findings of what the anti-piracy script does.

They explained their findings:

“Me and my colleague have investigated this. Granted, we are not backend experts. Our findings are that the plugin has an encoded code that is not human-readable without decoding.

That code is an additional remote license check. If it fails, it seems to replace values in the wp->posts database, essentially making all posts from all post types unreadable to WordPress.
It doesn’t seem to delete them outright as first suspected, but it does appear as deleted on the frontend for any non-expert user.

This seems to be implemented in 1.5.3+ BU versions and as there aren’t any posts here about it from legit users, I tend to trust Chinmoy that it’s very unlikely to affect legit users.

Now, my colleague indeed had a pirated version of the plugin, but sadly, she wasn’t aware of it because it was purchased as a legitimate version from a third-party seller.”

Response From the BricksUltimate Developer:

The developer of the plugin, Chinmoy Kumar Paul, posted a response in the BricksUltimate Facebook group.

They wrote:

“Re: Some coders are bypassing the license API with some custom code. That time plugin is activating and it is smoothly working. My script is just tracking those sites and checking the license key. If not match, is deleted the data. But it is not the best solution. I was just testing.

Next time I shall improve it with other logic and tests.

People are just overreacting.

I am still searching for the best solution and updating the codes as per my report.

…A lot of unwanted users are submitting the issue via email and I am losing my time for them. So I am just trying to find the best option to avoid this kind of thing.”

Several BricksUltimate users defended the plugin developer’s attempt to fight back against users with pirated copies of the plugin. But for every post defending the developer there were others that expressed strong disapproval.

Developer Backtracks On Anti-Piracy Measure

The developer may have read the room and seen that the move was highly unpopular. They said they had reversed course on taking action.

They insisted:

“…I stated that I shall change the current approach with a better option. People do not understand the concept and spread the rumors here and there.”

Backdoors Can Lead To Fines And Prison

Wordfence recently published an article about backdoors left by developers that intentionally interfere with or damage a website by publishers who owe them money.

In post titled: PSA: Intentionally Leaving Backdoors in Your Code Can Lead to Fines and Jail Time they wrote:

“One of the biggest reasons a web developer may be tempted to include a hardcoded backdoor is to ensure their work is not used without payment.

…What should be obvious is that intentionally damaging a website is a violation of laws in many countries, and could lead to fines or even jail time. In the United States, the Computer Fraud and Abuse Act of 1986 (CFAA) clearly defines illegal use of computer systems. According to 18 U.S.C. § 1030 (e)(8), simply accessing computer systems in a way that uses higher privileges or access levels than permitted is a violation of the law. Further, intentionally damaging the system or data is also a crime. The penalty for violating the CFAA can include sentences 10 years or more in prison, in addition to large financial penalties.”

Fighting piracy is a legitimate issue. But it’s a little more difficult in the WordPress community because WordPress licensing specifies that everything created with WordPress must be released with an open source license.

Featured Image by Shutterstock/Dikushin Dmitry

WordPress Announces Bluehost Managed Cloud Hosting via @sejournal, @martinibuster

WordPress.com and Bluehost announced a new managed WordPress cloud hosting solution that offers optimized WordPress performance features unavailable to traditional shared, VPN and dedicated hosting environments. The new managed WordPress cloud service handles virtually all of the technical details for maintaining a fast and secure website with 100% uptime.

Managed WordPress Hosting

Managed WordPress hosting is a type of hosting that are optimized for WordPress websites with built-in security and tools for small businesses, developers and agencies.

What’s different about the new Bluehost and WordPress.com hosting is that it brings all of the managed WordPress optimizations to a cloud hosted platform which brings a higher level of performance and scaling that exceeds traditional shared, VPS and dedicated hosting environments.

Managed WordPress Cloud Hosting

The new cloud hosting infrastructure offers built-in security, DDOS protection, CDN and scaling that virtually assures that the site will always be available at the fastest speeds possible.

Managed cloud hosting is basically hosting on a network of servers at a datacenter and can be as large as a global network of datacenters, which offers benefits not available in other hosting environments.

A shared hosting environment is one server that is hosting thousands of websites. Shared hosting is cheaper but their performance levels are generally at the lowest levels.

A Virtual Private Server (VPS) is generally a hosting environment that operates like a dedicated server that is shared with a limited number of other virtual servers on one machine. These offer a high level of performance but they don’t offer the benefits of managed WordPress hosting because it falls on the hosting subscriber to DIY the security and other requirements of hosting.

A dedicated server is one machine that is under control of one publisher. The word “control” is the key to dedicated hosting because a dedicated server offers complete control over the server. It takes technical knowledge to run a dedicated server but delivers incredibly fast and responsive websites.

The cloud hosting environment offers hosting across multiple machines in a datacenter, which is essentially why it’s called a cloud. Unlike other cloud providers, the Bluehost managed WordPress cloud environment is based on a global infrastructure.

According to Bluehost:

“Bluehost Cloud is built and supported by top-tier WordPress experts and powered by a redundant global server infrastructure.

… This platform is built on a scalable, multi-regional fault-tolerant infrastructure, ensuring 100% network uptime and allowing for seamless scaling according to traffic demands.”

Who Bluehost WordPress Managed Cloud Is For

The Bluehost WordPress Cloud hosting environment is meant for publishers and stores that are serious about their business and demand dependable uptime, the highest levels of performance and thoroughly locked down security.

Prices start at $79.99/month and go up to $299/month (early access prices are up to 56% off). The difference between each plan is the amount of virtual centralized processing units (vCPU) and SSD storage space that is allocated. The lowest tier cloud hosting is perfect for one site and the higher priced versions are optimized for hosting multiple sites or one site with a lot of traffic.

Read the announcement on Bluehost.com

Unmatched power, speed, & control with WordPress cloud hosting

Read the announcement at WordPress.com:

WP Cloud Is Powering the Future of WordPress

Featured Image by Shutterstock/file404

WordPress Site Builder Closes – Devs Forced To Rebuild Client Sites via @sejournal, @martinibuster

The Cwicly WordPress website builder toolkit announced that they are shutting down by the end of the year and refunding all 2024 clients. The decision forced developers to halt current projects and begin the process of migrating client websites to other WordPress site builder platforms.

It is an unexpected end to what was regarded as an innovative product that was considered as a promising toolkit for creating high performance websites on top of the native Gutenberg full site editor. But also some criticism.

An email sent by Cwicly to their customers was republished in the Dynamic WordPress Facebook Group.

The email says in part:

“After much deliberation and soul-searching, I have made the difficult decision to discontinue the development of the Cwicly plugin. This decision has been deeply influenced by recent events that have profoundly affected both me personally and the team.

Unfortunately, the relentless onslaught of destructive posts and comments by certain WordPress influencers has created an atmosphere that has made it increasingly challenging for us to continue with our vision for Cwicly.

Since the launch of Cwicly, not only have we had to build our product but have suffered the constant undermining of our choice to embrace the WordPress vision in Gutenberg. In addition, personal attacks on both myself and team members have been made and openly tolerated throughout.

The negativity and hostility directed towards Cwicly, especially in comparison to other page builders, have taken a significant toll on our morale and motivation.”

Brenda Malone (LinkedIn), a freelance web developer and search marketing expert, commented that this might create a chill in new web development tools if the Cwicly event causes developers to lose trust in new companies and stick with the current trusted ones.

She said:

“It is setting a bad precedent–who will trust small software development shops again?

This is awful for the developers who will have to rebuild client sites. What a mess, indeed.”

Cwicly And Gutenberg

Unlike other platforms, Cwicly was built to work with Gutenberg, adding developer-friendly options that extended the possibilities of what was possible from using just the Gutenberg full site editor.

One of the innovations that helped to create a buzz around Cwicly was the integration of Tailwind, an open source CSS framework that helps speed up site development. But the Tailwind integration was also a source of criticism because it was a partial implementation that was planned to roll out in stages with more features planned for the near future.

A quality that many loved about Cwicly is that it’s basically a blank slate that can be developed upon without the burden of having to deal with the extra code imposed by some page builders. That same plus was also seen by others as negative because it was perceived by some to present an additional hurdle to creating a website fast.

It could be seen then that for every step forward there was also the perception that there was another step back. Despite the developer-friendly innovations that help create a buzz around Cwicly there was also a sense that it wasn’t fully finished and for whatever reason it just didn’t catch on as quickly as other professional page builders like Bricks Builder and Breakdance.

David McCan, an early supporter of Cwicly who regarded it as “cutting edge” recently wrote an article discussing a peculiar reticence in the developer community to commit to Cwicly.

He wrote:

“With that long list of amazing features, why isn’t Cwicly more popular? Why aren’t more people using it? Why is it still something that a lot of people are watching, but they haven’t committed to? This paradox is what I’m calling the Cwicly Conundrum. People are interested in Cwicly and watching it, but they haven’t necessarily fully embraced it.”

What WordPress Developers Are Saying

Adam J. Humphreys (LinkedIn) of web development and SEO company Making 8 suggested possible next steps.

He commented to SEJ:

“I recommend users switch over to Bricks Builder asap to avoid further security escalations.

Bricks builder embraces both extra features for purists and a simple interface for new users. It’s something one can build a design career around. That’s why Bricks has picked up so much momentum. The community surrounding software is what makes all the difference. Keeping the community involved and integrated is what makes a platform strong.”

Reaction On Reddit

The reaction on Reddit was polarized with some expressing a certain amount of understanding while others felt it was a bad move.

One Redditor wrote:

“As a current paying member, a few minutes ago I got an email from Louis mentioning the discontinuation of Cwicly due to the hostility of some WordPress influencers and constant criticism.

Now, this has put me, and I imagine many others, in a very precarious situation. I’m halfway through rebuilding our 5 websites that were going to launch this month. Obviously I’m not going to do that now, since I’d have to redo them in a few months when Cwicly stops working altogether.”

Another Redditor responded:

“We are leaving with your money because some random people said they did not like us. What a lame excuse to scam buyers….”

Others were more sympathetic, pointing out that Cwicly was refunding all fees paid by users in 2024.  Others expressed their disappointment in having purchased a license for Cwicly with the expectation of it being around and now they are forced to redo websites built with Cwicly because once development stops there will no longer be any more updates to make  it compatible with future upgrades to PHP and the WordPress core, including security updates. What that means is that any site still using Cwicly in the future may be prone to no longer function as the WordPress core evolves to take advantage of new PHP versions not to mention the inability to upgraded to newer versions of WordPress due to inevitable incompatibilities.

Sunsetting Of Cwicly

The sunsetting of the Cwicly by the end of 2024 illustrates the challenges of innovating a product, particularly in a marketplace that has many active competitors with full-featured products. Any shortcomings are bound to be noticed and amplified by social media which in this case resulted in a demoralizing effect.

Featured image by Shutterstock/photosince

Bricks Builder For WordPress RCE Vulnerability via @sejournal, @martinibuster

Bricks Visual Site Builder for WordPress recently patched a critical severity vulnerability rated 9.8/10 which is actively being exploited right now.

Bricks Builder

Bricks Builder is a popular WordPress development theme that makes it easy to create attractive and fast performing websites in hours that would costs up to $20,000 of development time to do from scratch without it. Ease of use and developer components for CSS have made it a popular choice for developers.

Unauthenticated RCE Vulnerability

Bricks Builder is affected by a remote code execution (RCE) vulnerability. It’s rated 9.8/10 on the Common Vulnerability Scoring System (CVSS), which is nearly the highest level.

What makes this vulnerability particularly bad is that it’s an unauthenticated vulnerability which means that a hacker doesn’t need to attain permission credentials to exploit the vulnerability. Any hacker who knows of the vulnerability can exploit it, which in this case means an attacker can execute code.

Wordfence describes what can happen:

“This makes it possible for unauthenticated attackers to execute code on the server.”

The details of the vulnerability have not been officially published.

According to the official Bricks Builder changelog:

“We just released a mandatory security update with Bricks 1.9.6.1.

A leading security expert in the WordPress space just brought this vulnerability to our attention, and we instantly got to work, providing you now with a verified patch.

As of the time of this release, there’s no evidence that this vulnerability has been exploited. However, the potential for exploitation increases the longer the update to 1.9.6.1 is delayed.

We advise you to update all your Bricks sites immediately.”

Vulnerability Is Being Actively Exploited

According to Adam J. Humphreys (LinkedIn), founder of the web development company Making 8, the vulnerability is actively being exploited. The Bricks Builder Facebook community is said to be responding to affected users with information on how to recover from the vulnerability.

Adam J. Humphrey’s commented to SEJ:

“Everyone is getting hit bad. People on hosts without good security got exploited. A lot of people are dealing with it now. It’s a bloodbath and it’s the number one rated builder.

I have strong security. I’m so glad that I’m very protective of clients. It all seemed overkill until this.

People on hosts without good security got exploited.

SiteGround when installed has WordPress security. They also have a CDN and easy migrations with their plugin. I’ve found their support more responsive than the most expensive hosts. The WordPress security plugin at SiteGround is good but I also combine this with Wordfence because protection never hurts.”

Recommendations:

All Bricks Builder users are encouraged to update to the latest version, 1.9.6.1.

The Bricks Builder changelog announcement advises:

“Update Now: Update all your Bricks sites to the latest Bricks 1.9.6.1 as soon as possible. But at least within the next 24 hours. The earlier, the better.

Backup Caution: If you use website backups, remember they may include an older, vulnerable version of Bricks. Restoring from these backups can reintroduce the vulnerability. Please update your backups with the secure 1.9.6.1 version.”

This is a developing event, more information will be added when known.

WordPress User Survey Indicates Rising Frustration via @sejournal, @martinibuster

WordPress released the results of their annual user and developer survey which showed mixed feelings about the direction the software is going and an increasing sense of not being welcome in the overall WordPress community.

The Gutenberg Editor

Gutenberg is the modernized version of the the default site editor which brings the paradigm of a visual editor to the WordPress core.

Third party visual WordPress editors have revolutionized the process of building websites with WordPress, making it relatively easy to create websites with intuitive interfaces.

That was the goal behind Gutenberg, which introduced the full site editor in 2022. The WordPress core development team have spent the last two years making incremental improvements to the user interface to make it more intuitive as well as adding more features.

What was reflected in the 2023 annual survey, especially in contrast the previous year, is a sense that users are feeling less confidence in Gutenberg, even though more publishers are using Gutenberg now than at any other time.

Which Editor Do You Use?

Question nine tracks the percentage of users adopting Gutenberg, showing a steady increase of users from 37% in 2020 to 60% in 2023.

But according to the answers to question 10 that asks whether WordPress needs their needs, 29% disagree that WordPress meets their needs and less than half of users (45%) agreed that WordPress met their needs. A full 26% of respondents answered that they were neutral.

Those results mean that 55% of WordPress users did not answer that WordPress meets their needs. This was the first year the question was asked so there’s no data to show whether that’s an increase or a decrease but it’s still an underwhelming result.

Less Users Believe WordPress As Good As Others

Question #19 asked if WordPress was as good as or better than other site builders and content management systems.

In 2022 68% of users agreed that WordPress was as good as or better. That number dropped to 63% in 2023.

The number of users who disagreed that WordPress is as good as or better increased from 9% in 2022 to 13% in 2023 and the number of people who were neutral increased by 1% to 24% of respondents.

That means that in 2023 37% of WordPress users responding to the survey did not agree with the statement that WordPress is as good as or better, an increase by five percentage points from the previous year.

Clearly the results about how users feel about Gutenberg and WordPress in general indicate that users are losing confidence in WordPress.

That response must surely be a disappointment to the core development team because the 2023 version of Gutenberg is actually more intuitive to use than it has ever been the WordPress performance scores are also at all-time highs.

So what’s going on, why is are user satisfaction signals trending downwards?

Why User Satisfaction Is Trending Downward

A clue as to why user happiness and confidence in WordPress is trending downward may have something to do with users looking over the fence at the Wix and Duda platforms that boast significantly better performance scores and are also easier to build websites with.

On the other side of the fence are third-party website builders (like Bricks Builder, Breakdance Website Builder, and Elementor) and WordPress hosts (Bluehost) that offer an arguably superior website building experience for developers who need advanced flexibility and for users who don’t know how to code.

Perhaps a clue to why users satisfaction is dropping can be found in the answers for question 20 which asks what the three best things are about WordPress.

The biggest declines were for:

1. Ease of use
2. Flexibility
3. Cost
4. Block themes

Ease Of Use
In 2022 32% of users cited Ease Of Use as one of the three best things about WordPress. In 2023 that number dropped to 21.7%

Flexibility
Flexibility ranked 31% in 2022 but by 2023 that ranking dropped to 18.5%.

Cost
In 2022 37% of users cited Cost as one of the best things but by 2023 that number collapsed to 17%.

Block Themes
Block Themes went from 10% citing block themes as one of the three best things to only 5.3% in 2023.

Users aren’t feeling it for WordPress and that lack of “feels” is reflected in the market share statistics reported by W3Techs that indicate a two year negative downward trend in market share.

Market share dropped from 43.3% in 2022 (cited in an article by Joost deValk) and (according to W3Techs) it dropped further to 43.2% February 2023 and from there it dropped further 43.1% in February 2024.

Wix usage increased from 2.5% in February 2023 to 2.6% in 2024. Shopify went from 3.8% in 2023 to 4.3% in 2023.

Joost deValk, co-founder of Yoast SEO sounded the alarm back in 2022 when he noted that WordPress market share was shrinking, pointing to the slow pace of performance improvements and the difficulty of using WordPress as two major reasons for the shrinking market share.

The article written by Joost explained:

“WordPress has a performance team now, and it has made some progress. But the reality is that it hasn’t really made big strides yet… I think WordPress, for the first time in a decade, is being out-‘innovated’.”

What Frustrates WordPress Users

Another clue as to why WordPress users are increasingly expressing dissatisfaction is what they feel most frustrated about WordPress, noted in question 21 where survey respondents were asked to choose the top three most frustrating things.

The answer of “too many plugins (finding the right one)” experienced a whopping 133% change, with 8% citing too many plugins in 2022 and 18.6% in 2023.

Site editing experience (17%), security (16.4%), and performance (16.2%) were top sources of frustration with WordPress.

One bright spot is that the number of respondents who were frustrated because site editing is difficult to learn dropped from 26% in 2022 to 15% in 2023.

Those answers were echoed in question 25 that asked which three areas of WordPress need more attention.

Here are the top five areas users say need more attention:

1. Performance 19%
2. Security 18%
3. Developer resources (examples, demos, docs, tutorials, etc.) 16%
4. Design/UI 14%
5. Core functionality/stability 13%

The Future Of WordPress

WordPress was at a crossroads two years ago with regards to site performance and they took steps to address those problems. But their competitors are “out-innovating” them by improving at a faster pace, not just in site speed but in ease of use, SEO and features.

The results of this survey provide clear direction to the WordPress community who have a history of being responsive to user needs. Part of the solution is acknowledging search marketing, affiliate and publishing communities who are influential but not recognized in the annual surveys.

When I saw the survey last year I offered the core development team feedback about question number five which asked how respondents used WordPress.

These were the choices:

• A personal or passion project
• A service offering for my clients
• A platform for running my business
• A website for my employer or place of work
• School or academics or research
• None of the above

What was missing were the categories of content publishing, affiliate marketing, recipe bloggers and local businesses.

Lumping WordPress users like Disney with family-run restaurants and recipe bloggers into the category of a “platform for running my business” is unhelpful and provides little actionable insights. That oversight feeds into the perception that WordPress is aloof to the millions of users that the survey seeks to understand.

The good news is that WordPress is not aloof. The survey provides feedback on how the publishing community feels. My email conversations with members of the core development team make it clear to me that they are keen to embrace all their users as part of the greater WordPress community.

Read the summary of the WordPress survey:

2023 Annual Survey Results and Next Steps

Download the PDF version with more details:

Report for 2023 WordPress Annual Survey

Featured Image by Shutterstock/Krakenimages.com

WordPress SiteOrigin Widgets Bundle Plugin Vulnerability Affects +600,000 Sites via @sejournal, @martinibuster

SiteOrigin Widgets Bundle WordPress plugin with over 600,000 installations patched an authenticated stored cross-site scripting (XSS) vulnerability that could allow attackers to upload arbitrary files and expose site visitors to malicious scripts.

SiteOrigin Widgets Bundle Plugin

The SiteOrigins Widgets plugin, with +600,000 active installations, provides a way to easily add a multitude of widget functions like sliders, carousels, maps, change the way blog posts are displayed, and other useful webpage elements.

Stored Cross-Site Scripting Vulnerability

A Cross-Site Scripting (XSS) vulnerability is a flaw allows a hacker to inject (upload) malicious scripts. In WordPress plugins, these kinds of vulnerabilities arise from flaws in how data that’s input is not properly sanitized (filtered for untrusted data) and also from improperly securing output data (called escaping data).

This particular XSS vulnerability is called a Stored XSS because the attacker is able to inject the malicious code to the server.  According to the non-profit Open Worldwide Application Security Project (OWASP), the ability to launch an attack directly from the website makes it particularly concerning.

OWASP describes the stored XSS threat:

“This type of exploit, known as Stored XSS, is particularly insidious because the indirection caused by the data store makes it more difficult to identify the threat and increases the possibility that the attack will affect multiple users. “

In an XSS attack, where a script has successfully been injected, the attacker sends a harmful script to an unsuspecting site visitor. The user’s browser, because it trusts the website, executes the file. This can allow the attacker to access cookies, session tokens, and other sensitive website data.

Vulnerability Description

The vulnerability arose because of flaws in sanitizing inputs and escaping data.

The WordPress developer page for security explains sanitization:

“Sanitizing input is the process of securing/cleaning/filtering input data. Validation is preferred over sanitization because validation is more specific. But when “more specific” isn’t possible, sanitization is the next best thing.”

Escaping data in a WordPress plugin is a security function that filters out unwanted output.

Both of those functions needed improvement in the SiteOrigins Widgets Bundle plugin.

Wordfence described the vulnerability:

“The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the onclick parameter in all versions up to, and including, 1.58.3 due to insufficient input sanitization and output escaping.”

This vulnerability requires authentication before it can be executed, which means the attacker needs at least a contributor level access in order to be able to launch an attack.

Recommended action:

The vulnerability was assigned a medium CVSS severity level, scoring 6.4/10. Plugin users should consider updating to the latest version, which is version 1.58.5, although the vulnerability was patched in version 1.58.4.

Read the Wordfence vulnerability advisory:

SiteOrigin Widgets Bundle <= 1.58.3 – Authenticated (Contributor+) Stored Cross-Site Scripting