A vulnerability rated as High was recently patched in a Google Fonts optimization plugin for WordPress, allowing attackers to delete entire directories and upload malicious scripts.
OMGF | GDPR/DSGVO Compliant WordPress Plugin
The plugin, OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy., optimizes the use of Google Fonts to reduce page speed impact and is also GDPR compliant, making it valuable for users in the European Union looking to implement Google Fonts.
Screenshot of Wordfence Vulnerability Rating
Vulnerability
The vulnerability is particularly concerning because it allows unauthenticated attackers. “Unauthenticated” means that an attacker doesn’t need to be registered on the website or have any level of credentials.
The vulnerability is described as enabling unauthenticated directory deletion and allowing the upload of Cross-Site Scripting (XSS) payloads.
Cross-Site Scripting (XSS) is a type of attack where a malicious script is uploaded to a website server, which can then be used to remotely attack the browsers of any visitors. This can result in accessing a user’s cookies or session information, enabling the attacker to assume the privilege level of that user visiting the site.
The cause of the vulnerability, as identified by Wordfence researchers, is a lack of a capability check – a security feature that checks whether a user has access to a specific feature of a plugin, in this case, an admin-level feature.
“User capabilities are the specific permissions that you assign to each user or to a User role.
For example, Administrators have the “manage_options” capability which allows them to view, edit and save options for the website. Editors on the other hand lack this capability which will prevent them from interacting with options.
These capabilities are then checked at various points within the Admin. Depending on the capabilities assigned to a role; menus, functionality, and other aspects of the WordPress experience may be added or removed.
As you build a plugin, make sure to run your code only when the current user has the necessary capabilities.”
Wordfence describes the cause of the vulnerability:
“…is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting due to a missing capability check on the update_settings() function hooked via admin_init in all versions up to, and including, 5.7.9.”
Wordfence also states that previous updates attempted to close the security gap but considers version 5.7.10 to be the most secure version of the plugin.
WordPress is creating guides and tools to help publishers migrate to their block based editor Gutenberg and away from commercial WordPress page builders and private closed source content management systems like Wix.
While it’s understandable that WordPress might want to help publishers and businesses migrate away from Wix, some perceive it as a somewhat controversial move to create a guide to undermine software publishers who are a part of the WordPress ecosystem itself.
WordPress Page Builders
The mission for WordPress has always been to make it easy for publishers and business people to easily create beautiful websites. But that goal has eluded WordPress for years.
Software developers like Elegant Themes (makers of Divi page builder) and Elementor created point and click solutions that enabled users to visually webpage templates using a visual interface that made creating webpages as simple as drawing.
Page builders enabled users to drag and drop text boxes, forms and images in order to create the site visually. These elements can be moved around a page, resized and colored with just a few mouse clicks within an easy to use intuitive interface.
Then WordPress released their Gutenberg Full Site Editor that essentially replicated the visual block-based page builder experience.
Users continued using page builders because Gutenberg initially fell short of the more polished user interfaces of commercial page builders.
But it was only a matter of time before WordPress caught up and that day is just about here as WordPress continues to iteratively make Gutenberg increasingly easy to use.
That’s created an impression with developers that commercial page builders like Divi and Elementor will eventually lose their relevance in the WordPress ecosystem once Gutenberg reaches parity with them.
WordPress appears to be hastening the end of page builders by creating guides and tools for helping users migrate away from commercial page builders so that users can more easily transition to the Gutenberg page full site editor.
Data Liberation Project
WordPress is developing a series of guides and tools to help users migrate to the now mature Gutenberg site builder. It’s not perfect but it’s functional and relatively easy to use.
The future of creating webpages appears to increasingly resemble one in which Gutenberg becomes the default method and the new Data Liberation project seeks to make that day come sooner.
“This project imagines a more open web where users can seamlessly switch between platforms of their choosing, eradicating the concept of being locked into a system and keeping openness at the forefront.
Moving to and within WordPress should be a one-click easy process as much as possible whether moving from social networks, moving from a page builder to core blocks, or shifting from the classic editor to the block editor.
Rather than each person or organization needing to figure out a migration pathway, the WordPress community is coming together to provide scripts, plugins, and guides for us all to use to bring folks to WordPress.”
A post by the admin of the Dynamic WordPress Facebook Group offered this opinion:
“The “data-liberation” initiative is apparently preparing guides on how to move from various page builders to core Gutenberg.
If Elementor wrote a guide on how to move from core Gutenberg to Elementor, people would likely call foul.”
Some of the members of the group did not see this as problematic and welcomed the migration guides as something useful.
Is it right for WordPress to make it easier for users to migrate away from commercial page builders? In some sense it’s always seemed to be inevitable that Gutenberg would challenge and eventually replace commercial solutions.
Page builders have not done much to innovate beyond the simple drag and drop innovation. But some builders like Breakdance continue to publish useful tools for developers to create beautiful and fast performing websites.
When we talk about SEO for WordPress, we often talk about creating the right slug for a page. Of course, we’re not talking about the slimy creature that eats your plants. So, what is this ‘slug’ then? And why should you optimize it? In this post, we’ll explain all you need to know about it.
A slug is the part of a URL that identifies a particular page on a website in an easy-to-read form. In other words, it’s the part of the URL that explains the page’s content.
For this article, for example, the URL is https://yoast.com/slug, and the slug simply is ‘slug’.
How to edit a URL slug
In WordPress, the slug is the part of your URL that you can edit when writing or editing a post. Editing it in WordPress looks like this:
Note that this only works with the right permalink settings. You can edit the permalink settings in WordPress through Settings > Permalinks. We recommend choosing an option in which the URL contains relevant words, as this provides users and search engines with more information about the page than an ID or parameter would.
There are two ways to edit a slug in Shopify: You can either use Shopify’s ‘Search engine listing preview’ function, or you can use the Google Preview tool in Yoast SEO for Shopify instead.
To edit a slug using the built-in Shopify function, you’ll first need to click on ‘Edit website SEO’ to open the Search engine listing preview options. From there, you can easily adjust your slug as necessary. Note: Shopify calls the slug the ‘handle’ instead, but it’s exactly the same thing!
Alternatively, if you’re editing your Shopify page with Yoast SEO, all you need to do is open the Google preview in the Yoast SEO sidebar and you’ll see a field to enter a new slug:
Why are URL slugs important for SEO?
Writing a good slug for your page or post can positively affect your SEO. It allows you to do the following things:
1. Include your keyword
Why? Because the slug is one of the indicators Google uses to determine what a page is about. So change your slug, and make sure that it includes words you really want to rank for.
2. Create user-friendly URL slugs
Picture a results page: you’ll see many different URLs about a certain topic, right? So you need to make sure your slug is in line with what people expect to see.
For example, our main article on WordPress SEO has the URL yoast.com/wordpress-seo, which is very on point. People are a lot more likely to click on that, than on yoast.com/?p=607, even though that’s the URL that WordPress creates by default.
What does the keyphrase in slug assessment in Yoast SEO do?
Your article or page should have an easy-to-remember, focused and SEO-friendly URL. That’s why, to improve your URL, the Yoast SEO plugin checks how you’ve fitted in your main focus keyphrase and makes suggestions to improve it.
How to optimize your slug in WordPress
What do you need to think of when crafting the right slug for your post or page? Let’s go over the six steps of optimizing it in WordPress:
Include your focus keyphrase
This is probably a no-brainer, but your focus keyphrase should always be in the slug. This will immediately make it clear to your audience what your page is about.
If you keyphrase isn’t in the slug, the SEO analysis in the Yoast plugin will show you this message:
The slug that’s generated by default may include function words like “a”, “the” and “and”. In some cases, you might need those to clarify what your page is about. Usually, however, you can leave them out.
You shouldn’t just filter out any unnecessary function words, but every word you don’t need. In the case of this post, WordPress automatically created the slug “what-is-a-slug-and-how-to-optimize-it” (based upon the permalink settings in WordPress). That’s quite long, so we manually reduced it to “slug”. However, you should make sure your slug still makes sense!
And remember: You can use a slug only once, so use it for the right page. For example, if we want to write another (but different) post about slugs in the future, then we can’t (re)use this slug.
Keep it short and descriptive
As we’ve said before, the URL of your page is sometimes shown in Google search results, and may therefore influence whether your audience decides to click your snippet. So, you don’t have a lot of room to play with. So think carefully about the specific words you want to include.
In addition, be careful with adding dates and such to your URL. These instantly tell your audience when your content was originally published.
Use lowercase letters only
Try to use only lowercase letters in your slug. If you don’t, in some cases, you might accidentally create duplicate content by mixing uppercase and lowercase letters.
Remember that URL slugs should be permanent
Changing URLs can be bad for SEO, and bad for users – even if you use a redirect manager to make sure that people get to the right place. So when you’re choosing your slug, make sure it’s still going to make sense years from now.
Cindy is a content manager at Yoast. She writes and optimizes blog posts, and enjoys writing content that will help people create better content for their site and users.
In 2023, the WordPress community witnessed a significant milestone in website performance, with Core Web Vitals (CWV) showing significant improvements for both mobile and desktop users.
This article delves into the specifics of these improvements, exploring their implications and the evolving landscape of web performance within the WordPress ecosystem.
What Are Core Web Vitals?
Core Web Vitals are a set of specific metrics designed to measure the quality of user experience on web pages. This set of metrics is also a confirmed ranking factor for Google Search.
As part of Google’s broader Web Vitals initiative, the metrics focus on loading performance, interactivity, and visual stability. They apply to all web pages and are important for site owners to measure and optimize.
There are three key metrics within CWV:
Largest Contentful Paint (LCP) evaluates loading performance. A good user experience is indicated when the LCP occurs within 2.5 seconds of when the page starts loading.
First Input Delay (FID) measures the interactivity of a page. For a good user experience, the FID should be 100 milliseconds or less.
Cumulative Layout Shift (CLS) assesses the visual stability of a page. A good user experience is maintained if the page has a CLS of 0.1 or less.
These metrics are designed to be measurable in real-world scenarios, reflecting critical aspects of user experience.
In addition to these, there are other vital metrics:
Time to First Byte (TTFB) and First Contentful Paint (FCP) are key aspects of the loading experience and help diagnose issues with LCP.
Total Blocking Time (TBT) is important for diagnosing potential interactivity issues impacting FID.
While important, they are not part of the Core Web Vitals set because they are either not field-measurable or do not directly reflect a user-centric outcome.
WordPress Core Web Vitals Improve In 2023
WordPress CWV improved substantially in 2023.
Screenshot from WordPress, December 2023
The mobile CWV passing rate has increased by 8.13%, rising from 28.31% to 36.44%.
Similarly, the desktop CWV passing rate improved by 8.25%, moving from 32.55% to 40.80%.
This improvement is significant, considering the base values from which these percentages increased.
In relative terms, the new passing rates are approximately 29% higher than the previous ones on mobile and 25% higher on desktop.
This progress outstrips the improvements made in the previous year, where mobile CWV improved by 6.99% and desktop by 6.25%.
A line chart illustrates the gradual improvement of WordPress’s mobile CWV passing rate over the year, with a slight dip between March and April 2023 due to a change in the Largest Contentful Paint (LCP) algorithm calculation.
CWV Metrics For Mobile
The improvement in individual CWV metrics on mobile platforms is noteworthy.
Screenshot from WordPress, December 2023
The mobile LCP passing rate rose by 8.89%, the CLS passing rate by 4.22%, and the FID passing rate by 0.87%.
LCP experienced the largest increase, aligning with the WordPress performance team’s focus on this metric, considering it had the lowest base passing rate.
Despite a modest increase in FID, its already high passing rate makes this less concerning.
The TTFB rate, while not a Core Web Vital metric, is integral to LCP and received attention in 2023.
Screenshot from WordPress, December 2023
The mobile TTFB passing rate improved by 3.10%, and the desktop rate by 3.53%.
Impact Of WordPress 2023 Releases
The release of WordPress versions 6.2, 6.3, and 6.4 focused on improvements in load time performance, particularly impacting LCP and TTFB metrics.
For each version, data was compiled comparing sites before and after updating to the new version.
This approach, though not a strict A/B comparison, helped reduce noise and provide clearer insights.
For instance, the release of WordPress 6.2 showed a 0.01% improvement in mobile LCP and 0.65% in mobile TTFB.
Screenshot from WordPress, December 2023
Version 6.3 brought more significant improvements, with a 4.72% increase in mobile LCP.
Screenshot from WordPress, December 2023
The release of WordPress 6.4 also contributed to the improvements, albeit more modestly.
Screenshot from WordPress, December 2023
How WordPress Core Web Vitals Impact The Web
WordPress’s high usage rate means its performance has a substantial effect on the overall web.
Screenshot from WordPress, December 2023
In 2023, WordPress’s improvement in CWV passing rates exceeded those of non-WordPress sites.
For example, the mobile CWV passing rate for non-WordPress sites improved by 3.68%, compared to WordPress’s 8.13%. This demonstrates WordPress’s significant role in enhancing web performance.
Interaction To Next Paint Arrives In March 2024
Looking forward to 2024, WordPress faces new challenges and opportunities.
INP is a more comprehensive measure of interactivity, and its introduction is expected to lower overall CWV passing rates.
Screenshot from WordPress, December 2023
The WordPress performance team is considering this in their planning for 2024, inviting community contributions to their roadmap.
Next Steps
As a marketing professional, it is essential to stay current with the latest developments in Core Web Vitals, considering the implications for website performance and SEO.
With the upcoming shift to INP in 2024, it’s vital to prepare for these changes and consider how they might affect your website’s performance metrics.
Given this change, WordPress developers and site owners should start focusing on optimizing for INP. Prioritizing INP means optimizing your site to ensure that it responds quickly and smoothly to user interactions.
Another suggestion was to explore more ways to improve TTFB.
This may include optimizing hosting environments, using caching strategies, or adjusting content delivery networks, rather than just focusing on the server response time within the WordPress core.
Astra Starter Templates by Brainstorm Force, with over one million active installations, announced the integration of the ZipWP AI website builder that enables users to create entire websites, including content and images.
With over 280 customizable website templates that helps users quickly create professional-looking websites, it’s one of the most popular templates in the world with over one million active installations.
Creating websites with templates and page builders like Elementor and Beaver Builder, still required a modest learning curve.
The integration of ZipWP into the WPAstra Starter Templates solves that problem in a way that brings the simplicity of closed-source web design to the open source WordPress ecosystem.
ZipWP is a website builder that uses artificial intelligence to help users rapidly create functional WordPress websites with no coding or technical knowledge required.
The standalone version of ZipWP handles everything from installation and design to even creating the content for a fully configured website, including the images.
ZipWP claims that the AI can create an entire website in sixty seconds.
Screenshot of ZipWP Website
Both the standalone version and the version that’s integrated into the WPAstra Starter Templates offers features like automated website design, website content, and drag-and-drop webpage customization in a simple way that makes creating a website accessible to users of all technical levels.
The purpose isn’t necessarily to replace to web designers as it’s also useful for agencies that wish to scale their web design services while retaining total control and benefiting from the open source WordPress environment.
That means that the entire WordPress ecosystem of plugins are available for customizing websites created with the ZipWP functionality.
Users hoping to take advantage of the ZipWP functionality will have to register for an account with ZipWP.
ZipWP offers both free and premium tiers.
The free version allows users to create up to three websites per month. The premium version allows the creation of ten websites per day and other benefits for the price of $399/year.
According to the WPAstra changelog announcement:
“It will require connecting the user to their ZipWP account and providing their business details, after which it will generate content + images for patterns and pages based on the specified business details.”
WordPress has released version 6.4.2 that contains a patch for a critical severity vulnerability that could allow attackers to execute PHP code on the site and potentially lead to a full site takeover.
The vulnerability was traced back to a feature introduced in WordPress 6.4 that was meant to improve HTML parsing in the block editor.
The issue is not present in earlier versions of WordPress and it only affects versions 6.4 and 6.4.1.
An official WordPress announcement describes the vulnerability:
“A Remote Code Execution vulnerability that is not directly exploitable in core, however the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installs.”
According to an advisory published by Wordfence:
“Since an attacker able to exploit an Object Injection vulnerability would have full control over the on_destroy and bookmark_name properties, they can use this to execute arbitrary code on the site to easily gain full control.
While WordPress Core currently does not have any known object injection vulnerabilities, they are rampant in other plugins and themes. The presence of an easy-to-exploit POP chain in WordPress core substantially increases the danger level of any Object Injection vulnerability.”
Object Injection Vulnerability
Wordfence advises that Object Injection vulnerabilities are not easy to exploit. Nonetheless they are recommending that users of WordPress update the latest versions.
WordPress itself advises that users update their sites immediately.
High severity vulnerability was discovered in the Elementor website builder plugin that could allow an attacker to upload files to the website server and execute them. The vulnerability is in the template uploader functionality.
Elementor Unrestricted Upload of File with Dangerous Type Vulnerability
Elementor website builder is a popular WordPress plugin with over 5 million installations. The popularity is driven by its simple to use drag and drop functionality for creating professional looking websites.
The vulnerability discovered in Elementor is rated 8.8/10 and is said to make websites using Elementor open to a Remote Code Execution whereby an attacker is able to essentially control the affected website and run various commands.
The type of vulnerability is described as an Unrestricted Upload of File with Dangerous Type. This kind of vulnerability is an exploit where an attacker is able to upload malicious files which in turn enables the attacker to execute commands on the affected website server.
“The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment.”
Wordfence describes this specific vulnerability:
“The Elementor Website Builder …plugin for WordPress is vulnerable to Remote Code Execution via file upload in all versions up to and including 3.18.0 via the template import functionality.
This makes it possible for authenticated attackers, with contributor-level access and above, to upload files and execute code on the server.”
Wordfence also indicates that there is no patch to fix this issue and recommends uninstalling Elementor.
“No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.”
Elementor 3.18.1 Version Update
Elementor released an update to version 3.18.1 today. It is unclear if this patch fixes the vulnerability as the Wordfence site currently states that the vulnerability is unpatched.
The changelog describes this update:
“Fix: Improved code security enforcement in File Upload mechanism”
This is a newly reported vulnerability and the facts may change. Wordfence however warns that hackers are already attacking Elementor websites because their paid version has already blocked eleven hacking attempts at the time of publishing the announcement.
Security researchers at Wordfence detailed a critical security flaw in the MW WP Form plugin, affecting versions 5.0.1 and earlier. The vulnerability allows unauthenticated threat actors to exploit the plugin by uploading arbitrary files, including potentially malicious PHP backdoors, with the ability to execute these files on the server.
MW WP Form Plugin
The MW WP Form plugin helps to simplify form creation on WordPress websites using a shortcode builder.
It makes it easy for users to create and customize forms with various fields and options.
The plugin has many features, including one that allows file uploads using the [mwform_file name=”file”] shortcode for the purpose of data collection. It is this specific feature that is exploitable in this vulnerability.
An Unauthenticated Arbitrary File Upload Vulnerability is a security issue that allows hackers to upload potentially harmful files to a website. Unauthenticated means that the attacker does not need to be registered with the website or need any kind of permission level that comes with a user permission level.
These kinds of vulnerabilities can lead to remote code execution, where the uploaded files are executed on the server, with the potential to allow the attackers to exploit the website and site visitors.
The Wordfence advisory noted that the plugin has a check for unexpected filetypes but that it doesn’t function as it should.
According to the security researchers:
“Unfortunately, although the file type check function works perfectly and returns false for dangerous file types, it throws a runtime exception in the try block if a disallowed file type is uploaded, which will be caught and handled by the catch block.
…even if the dangerous file type is checked and detected, it is only logged, while the function continues to run and the file is uploaded.
This means that attackers could upload arbitrary PHP files and then access those files to trigger their execution on the server, achieving remote code execution.”
There Are Conditions For A Successful Attack
The severity of this threat depends on the requirement that the “Saving inquiry data in database” option in the form settings is required to be enabled in order for this security gap to be exploited.
The security advisory notes that the vulnerability is rated critical with a score of 9.8 out of 10.
Actions To Take
Wordfence strongly advises users of the MW WP Form plugin to update their versions of the plugin.
The vulnerability is patched in the lutes version of the plugin, version 5.0.2.
The severity of the threat is particularly critical for users who have enabled the “Saving inquiry data in database” option in the form settings and that is compounded by the fact that no permission levels are needed to execute this attack.
Accelerated Mobile Pages WordPress plugin, with over 100,000 installations, patched a medium severity vulnerability that could allow an attacker to inject malicious scripts to be executed by website visitors.
Cross-Site Scripting Via Shortcode
A cross-site scripting (XSS) is one of the most frequent kind of vulnerability. In the context of WordPress plugins, XSS vulnerabilities happen when a plugin has a way to input data that isn’t sufficiently secured by a process that validates or sanitizes user inputs.
Sanitization is a way to block unwanted kinds of input. For example, if a plugin allows a user to add text through an input field, then it should also sanitize anything else that is input into that form that doesn’t belong, like a script or a zip file.
A shortcode is a WordPress feature that allows users to insert a tag that looks like this [example] within posts and pages. Shortcodes embed functionalities or content that is provided by a plugin. This allows users to configure a plugin through an admin panel then copy and paste a shortcode into a post or page where they want the plugin functionality to appear.
A “cross-site scripting via shortcode” vulnerability is a security flaw that allows an attacker to inject malicious scripts into a website by exploiting the shortcode function of the plugin.
According to a report recently published by the Patchstack WordPress security company:
“This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.
This vulnerability has been fixed in version 1.0.89.”
Wordfence describes the vulnerability:
“Accelerated Mobile Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s shortcode(s) in all versions up to, and including, 1.0.88.1 due to insufficient input sanitization and output escaping on user supplied attributes.”
Wordfence also clarifies that this is an authenticated vulnerability which for this specific exploit means that a hacker needs at least a contributor permission level in order to take advantage of the vulnerability.
This exploit is rated by Patchstack as a medium severity level vulnerability, scoring a 6.5 on a scale of 1-10 (with ten being the most severe).
It’s advised that users check their installations so that they are patched to at least version 1.0.89.
WordPress released a maintenance release on Wednesday evening to fix problems discovered shortly after WordPress 6.4 was released to the public on Tuesday November 7th.
Two of issues were somewhat serious in that they affected the operation of certain plugins and could cause issues for sites encountering either of the two problems.
The third one was a typo that resulted in a misconfigured notice in the admin panel.
Three Issues Fixed
Typo
Removed code caused backward compatibility issues
Critical bug causes download to fail
Typo In Code – Minor Cosmetic Issue
The typo issue was relatively minor. It affected how a nag screen appeared in the administrator panel, causing it to stretch across the top of the page.
Before the fix:
After the fix:
Backward Compatibility Bug
This bug was one of those random things that can’t always be accounted for.
What happened is that core contributors removed code that the WordPress core was no longer using, thus it was supposed to be safe to remove.
But… that code was still being used by plugins and because it was now missing, WP 6.4 was apparently causing those plugins to break.
So the fix that is in this maintenance release is to add it back in.
Critical Bug Causing cURL Error
The last fix was for a bug that caused downloading updates to fail and show an error message saying that it timed out, cURL error 28: Operation timed out.
6.4 updated the Requests library version which included a breaking change for anyone running on a host with curl version 7.29 (at least).”
This issue was also another one of those random things. In this case, it involved servers that were using an older and outdated version of the cURL library (cURL 7.29). The latest version of cURL is 8.4.0.
Takeaway
WordPress releases test versions of WordPress for the community to test and report back any errors.
But if nobody experiences them then they show up when the final version is released and that is what happened.
The original WordPress 6.4 version that this new maintenance release updates was codenamed Shirley. The new maintenance release kind of begs to be codenamed Don’t call me Shirley.
