Vulnerabilities In WooCommerce And Dokan Pro Plugins via @sejournal, @martinibuster

WooCommerce published an advisory about an XSS vulnerability while Wordfence simultaneously advised about a critical vulnerability in a WooCommerce plugin named Dokan Pro. The advisory about Dokan Pro warned that a SQL Injection vulnerability allows unauthenticated attackers to extract sensitive information from a website database.

Dokan Pro WordPress Plugin

The Dokan Pro plugin allows user to transform their WooCommerce website into a multi-vendor marketplace similar to sites like Amazon and Etsy. It currently has over 50,000 installations Plugin versions up to and including 3.10.3 are vulnerable.

According to WordFence, version 3.11.0 represents the fully patched and safest version.

WordPress.org lists the current number of plugin installations of the lite version at over 50,000 and a total all-time number of installations of over 3 million. As of this moment only 30.6% of installations were using the most up to date version, 3.11 which may mean that 69.4% of all Dokan Pro plugins are vulnerable.

Screenshot Of Dokan Plugin Download Statistics

Changelog Doesn’t Show Vulnerability Patch

The changelog is what tells users of a plugin what’s contained in an update. Most plugin and theme makers will publish a clear notice that an update contains a vulnerability patch. According to Wordfence, the vulnerability affects versions up to and including version  3.10.3. But the changelog notation for version 3.10.4 that was released Apr 25, 2024 (which is supposed to be patched) does not show that there’s a patch. It’s possible that the publisher of Dokan Pro and Dokan Lite didn’t want to alert hackers to the critical vulnerability.

Screenshot Of Dokan Pro Changelog

CVSS Score 10

The Common Vulnerability Scoring System (CVSS) is an open standard for assigning a score that represents the severity of a vulnerability. The severity score is based on how exploitable it is, the impact of it, plus supplemental metrics such as safety and urgency which together add up to a total score from least severe (1) to the highest severity (10).

The Dokan Pro plugin received a CVSS score of 10, the highest level severity, which means that any users of the plugin are recommended to take immediate action.

Screenshot Of Dokan Pro Vulnerability Severity Score

Description Of Vulnerability

Dokan Pro was found to contain an Unauthenticated SQL Injection vulnerability. There are authenticated and unauthenticated vulnerabilities. Unauthenticated means that an attacker does not need to acquire user credentials in order to launch an attack. Between the two kinds of vulnerabilities, unauthenticated is the worst case scenario.

A WordPress SQL Injection vulnerability is one in which a plugin or theme allows an attacker to manipulate the database. The database is the heart of every WordPress website, where every password, login names, posts, themes and plugin data. A vulnerability that allows anyone to manipulate the database is considerably severe – this is really bad.

This is how Wordfence describes it:

“The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the ‘code’ parameter in all versions up to, and including, 3.10.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.”

Recommended Action For Dokan Pro Users

Users of the Dokan Pro plugin are recommended to consider updating their sites as soon as possible. It’s always prudent to test updates before their uploaded live to a website. But due to the severity of this vulnerability, users should consider expediting this update.

WooCommerce published an advisory of a vulnerability that affects versions 8.8.0 and higher. The vulnerability is rated 5.4 which is a medium level threat, and only affects users who have the Order Attribute feature enabled activated. Nevertheless, WooCommerce “strongly” recommends users update as soon as possible to the most current version (as of this writing), WooCommerce 8.9.3.

WooCommerce Cross Site Scripting (XSS) Vulnerability

The type of vulnerability that affects WooCommerce is called Cross Site Scripting (XSS) which is a type of vulnerability that depends on a user (like a WooCommerce store admin) to click a link.

According to WooCommerce:

“This vulnerability could allow for cross-site scripting, a type of attack in which a bad actor manipulates a link to include malicious content (via code such as JavaScript) on a page. This could affect anyone who clicks on the link, including a customer, the merchant, or a store admin.

…We are not aware of any exploits of this vulnerability. The issue was originally found through Automattic’s proactive security research program with HackerOne. Our support teams have received no reports of it being exploited and our engineering team analyses did not reveal it had been exploited.”

Should Web Hosts Be More Proactive?

Web developer and search marketing expert Adam J. Humphreys, Of Making 8, inc. (LinkedIn profile), feels that web hosts should be more proactive about patching critical vulnerabilities, even though that may cause some sites to lose functionality if there’s a conflict with some other plugin or theme in use.

Adam observed:

“The deeper issue is the fact that WordPress remains without auto updates and a constant vulnerability which is the illusion their sites are safe. Most core updates are not performed by hosts and almost every single host doesn’t perform any plugin updates even if they do them until a core update is performed. Then there is the fact most premium plugin updates will often not perform automatically. Many of which contain critical security patches.”

I asked if he meant a push update, where an update is forced onto a website.

“Correct, many hosts will not perform updates until a WordPress core update. Softaculous engineers confirmed this for me. WPEngine which claims fully managed updates doesn’t do it on the frequency to patch in a timely fashion for said plugins. WordPress without ongoing management is a vulnerability and yet half of all websites are made with it. This is an oversight by WordPress that should be addressed, in my opinion.”

Read more at Wordfence:

Dokan Pro <= 3.10.3 – Unauthenticated SQL Injection

Read the official WooCommerce vulnerability documentation:

WooCommerce Updated to Address Cross-site Scripting Vulnerability

Featured Image by Shutterstock/New Africa

Automattic For Agencies: A New Way To Monetize WordPress via @sejournal, @martinibuster

Automattic, the company behind WordPress.com, Jetpack, WooCommerce and more, have announced a new program to woo Agencies into their ecosystem of products with more ways to earn revenue.

This new program could be seen as putting Automattic into direct competition with closed source systems like Wix and Duda but there are clear differences between all three products and services.

Automattic For Agencies

Automattic for Agencies brings together multiple Automattic products into a single service with a dashboard for managing multiple client sites and billing. The program offers a unified locations for managing client sites as well as discounted pricing and revenue sharing opportunities. Aside from the benefits of streamlining the program also offers technical support across all of the Automattic products that are a part of the program. Lastly the program offers agencies managed security and performance improvements.

According to the announcement:

“We worry about site performance and security so you don’t have to. When you connect your sites to the Automattic for Agencies dashboard, you’ll receive instant notifications about updates and alerts, so your sites stay problem-free and your clients stay happy.”

Revenue Share And Discounts

Agencies can now earn a revenue share of the Automattic products used by clients. For example, agencies can earn a 50% revenue share on Jetpack product referrals, including renewals. As part of the program Jetpack also offers discounts on licenses, starting at 10% off for five licenses and to as high as 50% off for 100 licenses.

As part of the new program there are similar benefits for agencies that build or manage WooCommerce sites, with discounted agency pricing and a referral program

WordPress.com, the managed WordPress hosting subsidiary of Automattic, is offering a 20% revenue share on new subscriptions and a 50% share on migrations from other hosts.

A tweet from WordPress.com described the new program:

“Agencies, we’ve got some news for you!

Our new referral program is live, and as a referrer of http://WordPress.com’s services, your agency will receive a 20% revenue share on new subscriptions and 50% on new migrations to http://WordPress.com from other hosting providers.”

New Directory For Agencies

A forthcoming benefit of the Autommatic For Agencies program is a business directory that lists agencies that are a part of the program. The benefit of the directory is presumably that it may lead to business referrals to the agencies.

The Jetpack announcement describes the new directory:

“Gain heightened visibility through multiple directory listings across Automattic’s business units. This increased exposure creates more opportunities for potential clients to find and engage with your services, helping you grow your agency’s reach and reputation.”

The WooCommerce announcement describes the directory like this:

“Expand your reach
Increase your visibility with partner directory listings across multiple Automattic brands.”

Automattic Affiliate Program

The Automattic for Agencies announcement follows the rollout of a separate affiliate program which offers up to 100% referral bonus for affiliates who refer new hosting clients, with a limit of $300 payout per item, and up to 50% referral bonus for Jetpack plugin subscriptions. The program has a 30 day cookie conversion period which provides affiliates the opportunity to earn referral bonuses on any additional sales within a 30 day period.

Read more about the new program:

Live the Suite Life With Automattic For Agencies

Featured Image by Shutterstock/Volodymyr TVERDOKHLIB

WordPress Playground – A New Tool You Need To Try Right Now via @sejournal, @martinibuster

WordPress has been releasing innovative tools that helps users accomplish their goals and become more proficient users. One of the newest tools is called Playground, a tool that is designed to make a WordPress site instantly available for testing, learning and building.

Background On WordPress Playground

Playground is a tool that runs in your browser.

The official WordPress documentation for Playground suggests these uses:

• Try a block, a theme, or a plugin
• Build an entire site, save it, host it
• Test your plugin with many specific WordPress and PHP versions
• Embed a real, interactive WordPress site in your tutorial or course
• Showcase a plugin or theme on your website
• Build a native app running WordPress and put it in App Store
• Preview pull requests from your repository

There is also a WordPress Plugin available, Playground By WordPress Contributors, that enables a user to clone their site to a private in-browser Playground version.

The WordPress plugin allows a user to create an exact website copy within a Playground instance, from which a user can do things like test a plugin or theme. Any changes made to the Playground instance do not affect the actual website. The cloned site is not uploaded to any cloud service, all the data remains private, residing within a user’s web browser, where it stays until the browser tab is closed.

Interview: Adam Zieliński, WordPress Playground Architect @ Automattic

I interviewed Adam Zieliński, the WordPress Playground Architect at Automattic, to learn more about what Playground is and how it can be useful for developers and regular users of WordPress.

The first thing I wanted to know is, what is Playground and why should anyone use it, what should people expect from it?

Adam Zieliński:

“Playground is WordPress in a single click. There are no tedious setup steps, webhosts account, or technical talk.

Playground is not the site at playground.wordpress.net. It is the groundbreaking technology that makes that site possible and also powers a new generation of interactive, single-click WordPress tools. There are interactive tutorials, QA (Quality Assurance) workflows, “try before you buy” previewers for plugins, collaboration tools, contribution workflows and so much more.

Here are two examples:

The site at playground.wordpress.net doubles as a QA tool – you can try the upcoming WordPress release, test your plugin or theme with five other plugins and then see how it performs on different WordPress and PHP versions. It proved useful for sourcing feedback during the WordPress 6.5 release cycle, the Font library call for testing, and more.

As a WordPress plugin, Playground can clone your existing WordPress site, including all content, plugins, and themes, inside a private Playground instance. This gives you a way of testing changes, new plugins, or updates before pushing them live and without needing a separate hosting.

The next example is a bit more technical but I’ll still go with it. Playground can be embedded on websites. There are companies out there showcasing a live version of their plugin or theme using a live WordPress Playground site embedded inside their actual site. That’s highly useful for their future customers – even if they have no clue about what Playground is.”

I followed up with a question asking how he would describe Playground to someone who uses WordPress but doesn’t dabble in the development part.

Adam Zieliński:

“Playground is a version of WordPress that runs directly on your device, not on a webhost. You can open Playground on your phone, turn off the internet, and continue using it.”

I next asked if it’s useful for migrating to a new template or testing plugin updates.

Adam Zieliński:

“Absolutely. You can clone your site using the Playground WordPress plugin and try the new template or the updated plugin there first without risking breaking your production site. That plugin also adds a “preview now” button to the plugins search in wp-admin so you can “try them on” before committing to installing one on your live site.”

Zieliński next recommended the following resources to view and read more about Playground:

WordPress Playground: the ultimate learning, testing, & teaching tool for WordPress

How to use WordPress Playground for interactive demos

How to start using WordPress Playground

Does Playground help regular WordPress users become familiar with developing sites themselves, is it a hands-on way to learn how to use WordPress?

Adam Zieliński:

“Playground makes a great learning tool. You can just hop on playground.wordpress.net and start exploring WordPress, whether that means creating your first post or installing fifteen plugins and building an entire site.

The experience is very self-guided today, which is useful in classes, workshops and meetups where an instructor can give you directions.

We’re also exploring an interactive and guided tutorials. Imagine visiting WordPress.org, clicking on, say, “I want to build my first WordPress site”, and getting clear directions and an interactive WordPress site to work on. That’s what we’re building towards.

And this doesn’t have to be a distant future. Anyone can start creating these interactive learning experiences today with the Playground Block – it’s a single-click way of embedding Playground in your WordPress content. You can play with that block right now if go to the plugin page and by click the Live Preview button. Oh, and that live preview? It’s also powered by WordPress Playground!”

Is Playground compatible with popular WordPress website builders?

Adam Zieliński:

“I haven’t tested Divi. Elementor mostly works, although there’s a technical issue in the onboarding flow that needs to be fixed in Elementor fix before it’s fully functional.”

Playground has a feature called Blueprints, configuration setting files. I asked Adam how he would describe Blueprints and how is it useful to users.

Adam Zieliński:

“Blueprints are guidelines for Playground on how to create the WordPress site for you.

Blueprints are also like puzzle pieces. In fact, at WCEU 2024, you’ll build real WordPress sites with physical puzzle pieces. We’ve printed puzzle pieces representing site configuration steps like installing a plugin or changing the site name and attendees will be able to collect and scan them with an app that will load Playground with the configuration (Blueprint) they put together.

See also: What are Blueprints, and what can you do with them?

About the usefulness of Blueprints – there are two sides to that. You can either use a Playground site created based on an existing Blueprint, or you can create a new Blueprint.

If you just want to enjoy Playground-based tools, you don’t even need to know what Blueprints are. All you’ll experience is a button that opens a WordPress site preconfigured to do anything at all. It could help you test a theme, contribute a documentation page, or even build a slide deck and export it to PDF.

If you want to build new Blueprints, today you need to get your hands dirty and write some JSON code. Blueprints 101 and Technical Introduction to Playground will walk you through the steps and you can also preview the examples in the Blueprints Gallery. It’s worth noting we’re working on a visual tool where you’ll be able to just assemble these steps like puzzle pieces without any coding knowledge.”

Is this a way to create a site and then save or share the demo?

Adam Zieliński:

“Yes! Playground sites are temporary by default but there’s many ways to save and share them. On playground.wordpress.net there’s a settings button where you can tell Playground to save your site in your web browser. Once you do that and refresh the page, you’ll return right to your site. You can also synchronize the site with a directory on your computer and all the Playground changes will show up there. Then you can also export your site as a zip file or to GitHub.

There are two ways of sharing a site with others.

The first one, is to create a Blueprint – so write down all the step by step instructions for Playground to recreate that site. You could then include that Blueprint in a link and share it with the world.

Blueprints are powerful but not always convenient, so there’s also a second way. A Playground site can be exported as a zip file. You can host that zip file, for example on GitHub, and create a Playground link to load it.”

Someone from the WordPress developer community passed this question along:

“Site builders often have one or more “starter sites”, which seem to squarely line up with blueprints, though they usually include premium themes and plugins. Drupal has “Distributions,” which are basically pre-configured starter sites often with a niche focus.

Imagine a preconfigured install of core, a theme, a membership plugin, and payment setup (waiting for gateway API keys). If you want a membership site then just install this and start adding content. Or a preconfigured help desk system and so on.

So, I’m wondering if the vision is that Blueprints will provide something similar?”

Adam Zieliński:

“Blueprints enable just that. Live previews in the WordPress plugin directory are an example – every time you get an identical site pre-configured for a particular plugin. It always installs a fresh WordPress and the latest versions of all the co-existing plugins and themes. You can prepare a Blueprint for your particular setup and work with it in the browser, or you can also use the Playground CLI tool to work with these starter sites on your local computer. We’re building a PHP library to enable webhosts to support Blueprints – template sites may then become a common feature in the WordPress hosting landscape.”

WordPress Playground

A playground is a place that is designed for and encourages activities. That’s exactly what WordPress Playground is about. Anyone who uses WordPress should give Playground a try or at the very least become familiar with it because knowledge broadens perspectives, aids in problem solving, and makes one a more effective competitor and business person.

Featured Image by Shutterstock/Leszek Czerwonka

WordPress Releases Way To Build Sites On A Windows Desktop via @sejournal, @martinibuster

Last month WordPress released a way to create or test WordPress sites on the desktop but the app was limited to Apple Mac devices. This month WordPress announces that WordPress Studio is now available for Microsoft Windows.

According to WordPress, Microsoft Windows users account for over 25% of WordPress developers. But it’s possible that non-developers who use WordPress for their websites may account for many more people who use WordPress and would like to learn how to create with it.

WordPress Studio is an easy to use development platform that will help developers who use Microsoft Windows as well as non-developers who want to learn how to use WordPress without messing anything up on a live website.

The official WordPress announcement explained:

“We recently launched Studio, our free and open source local WordPress development environment, for MacOS, and we’re happy to share that the Windows version of Studio is now available!

As a reminder, we’ve built Studio to be the fastest and simplest way to build WordPress sites locally.”

Local WordPress Development

Local development is a way to work on a website from the desktop (local) as opposed to working on the site on a webhost. There are many reasons to work on a website locally, with convenience being at the top of the list. Working on a website directly on a desktop environment makes it unlikely for a mistake that could cause the site to go public and causing unintended ranking consequences for the actual site that’s live on the web, which is a second reason why local development is popular.

A third reason for local development is that it’s cheaper, faster and for those with less development skills, it’s generally easier than creating an online testing site for the purpose of testing new plugins to verify they won’t break a site or simply for creating a demo site for sharing with a client or a team.

Until now, the downside of local development is that many of the most popular local development platforms have a steep learning curve which is inconvenient for publishers and SMBs who don’t have the time to devote to learning yet another skill. I know about the learning curve because I’ve used a few local development platforms in the past.

WordPress Studio

WordPress has now released a solution to the problem of local WordPress development that’s specific to WordPress and makes it easier for WordPress users to test, develop and learn how to become more comfortable with WordPress. It’s easy to break a WordPress site and until now there was never an easy way to test WordPress plugins without additional expense or to just plain old learn how to use WordPress.

WordPress lists the following benefits:

• Demo sites
  Forget Ngrok-like tunnels—share interactive snapshots of your local sites with clients or colleagues, powered by WordPress.com.
• Superfast WordPress installation
  Regardless of how many sites you’re working on, you can create unlimited local sites in Studio.
• Dependency-free building
  Build lightweight and reliable local WordPress sites, powered by WordPress Playground, without the hassle of Docker, NGINX, Apache, or MySQL.
• One-click admin
  Spend less time wrangling passwords—open WP Admin for each site with just one click.
• Open your site anywhere
  Develop your sites your way. Open your site’s code in your favorite IDE, CLI, or file browser to fit your workflow.
• Built by the biggest contributor to WordPress core
  With 109 active contributors, we know WordPress inside and out.

Create And Share A Demo Site

One of the fantastic features of WordPress Studio is the ability to share your demo sites with others on your team or with clients, to get feedback and iteratively improve the website. A user first needs to create a WordPress.com account and connect the local Studio desktop app to the WordPress account. Users are able to host five demo sites for free on a temporary domain (WP.build). Free demo sites last for 7 days after the last update to the demo site so if you need it to stay longer just update the demo site.

All demo sites can be manually deleted from the hosted demo and also on the desktop.

Screenshot Of How To Delete A Website In Studio

Support For Exporting A Theme

The WordPress Studio local development environment has the functionality for exporting a theme. Users can create a theme on their desktop environment and then select to export the theme. The Studio app will export the theme as a zip file which can then be uploaded to a live site (or a staging environment) online.

Full instructions on how to use Studio is available on WordPress.com. Judging by the instructions, using Studio appears to be a lot easier to use compared to other local development solutions that in general are made to accommodate a wide range of websites, not just WordPress sites. The learning curve appears to be relatively gentle compared to other local development environments.

Read more about the Windows version of WordPress Studio:

Studio: Now Available for Windows

Download a Windows or Mac version of Studio, both versions are free:

Build Fast, Ship Faster with Studio

WP Rocket WordPress Plugin Now Optimizes LCP Core Web Vitals Metric via @sejournal, @martinibuster

WP Rocket, the WordPress page speed performance plugin, just announced the release of a new version that will help publishers optimize for Largest Contentful Paint (LCP), an important Core Web Vitals metric.

Large Contentful Paint (LCP)

LCP is a page speed metric that’s designed to show how fast it takes for a user to perceive that the page is loaded and read to be interacted with. This metric measures the time it takes for the main content elements has fully loaded. This gives an idea of how usable a webpage is. The faster the LCP the better the user experience will be.

WP Rocket 3.16

WP Rocket is a caching plugin that helps a site perform faster. The way page caching generally works is that the website will store frequently accessed webpages and resources so that when someone visits the page the website doesn’t have to fetch the data from the database, which takes time, but instead will serve the webpage from the cache. This is super important when a website has a lot of site visitors because that can use a lot of server resources to fetch and build the same website over and over for every visitor.

The lastest version of WP Rocket (3.16) now contains Automatic LCP optimization, which means that it will optimize the on-page elements from the main content so that they are served first thereby raising the LCP scores and providing a better user experience.

Because it’s automatic there’s really nothing to fiddle around with or fine tune.

According to WP Rocket:

• “Automatic LCP Optimization: Optimizes the Largest Contentful Paint, a critical metric for website speed, automatically enhancing overall PageSpeed scores.
• Smart Management of Above-the-Fold Images: Automatically detects and prioritizes critical above-the-fold images, loading them immediately to improve user experience and performance metrics.

All new functionalities operate seamlessly in the background, requiring no direct intervention from the user. Upon installing or upgrading to WP Rocket 3.16, these optimizations are automatically enabled, though customization options remain accessible for those who prefer manual control.”

Read the official announcement:

WP Rocket 3.16: Improving LCP and PageSpeed Score Automatically

Featured Image by Shutterstock/ICONMAN66

WordPress 6.5 Enhances SEO With ‘Lastmod’ Support via @sejournal, @MattGSouthern

WordPress has rolled out an update with version 6.5, introducing native support for the lastmod element in sitemaps.

This move streamlines search engine crawl efficiency, potentially enhancing website visibility.

The announcement comes from Gary Illyes, a member of Google’s Search Relations team, who took to LinkedIn to commend the WordPress developer community for their efforts.

The Lastmod Element: A Key Signal for Crawlers

The lastmod metadata tag indicates the last significant modification date of a webpage, enabling search engine crawlers to prioritize and schedule crawls.

In Illyes’ words:

“The lastmod element in sitemaps is a signal that can help crawlers figure out how often to crawl your pages.”

By natively populating the lastmod field, WordPress 6.5 lets websites improve SEO efforts without additional manual configuration.

Illyes emphasizes that a “significant” change refers to updates that might matter to users and, consequently, to the website’s performance.

WordPress Community Collaboration

Lastmod support in WordPress 6.5 is possible due to the collaborative efforts of the developer community, spearheaded by Pascal Birchler.

Illyes acknowledged and praised their contributions, stating,

“If you’re on WordPress, since version 6.5, you have this field natively populated for you thanks to Pascal Birchler and the WordPress developer community.”

While applauding the new feature, Illyes urges website owners to upgrade their WordPress installations to take advantage of the lastmod support.

He adds:

“If you’re holding back on upgrading your WordPress installation, please bite the bullet and just do it (maybe once there are no plugin conflicts).”

As WordPress evolves, this update displays the platform’s commitment to complying with SEO best practices and providing users with needed tools.

Featured Image: photosince/Shutterstock