Elementor WordPress Plugin Vulnerability via @sejournal, @martinibuster

High severity vulnerability was discovered in the Elementor website builder plugin that could allow an attacker to upload files to the website server and execute them. The vulnerability is in the template uploader functionality.

Elementor Unrestricted Upload of File with Dangerous Type Vulnerability

Elementor website builder is a popular WordPress plugin with over 5 million installations. The popularity is driven by its simple to use drag and drop functionality for creating professional looking websites.

The vulnerability discovered in Elementor is rated 8.8/10 and is said to make websites using Elementor open to a Remote Code Execution whereby an attacker is able to essentially control the affected website and run various commands.

The type of vulnerability is described as an Unrestricted Upload of File with Dangerous Type. This kind of vulnerability is an exploit where an attacker is able to upload malicious files which in turn enables the attacker to execute commands on the affected website server.

This kind of issue is generally described in this manner:

“The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment.”

Wordfence describes this specific vulnerability:

“The Elementor Website Builder …plugin for WordPress is vulnerable to Remote Code Execution via file upload in all versions up to and including 3.18.0 via the template import functionality.

This makes it possible for authenticated attackers, with contributor-level access and above, to upload files and execute code on the server.”

Wordfence also indicates that there is no patch to fix this issue and recommends uninstalling Elementor.

“No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.”

Elementor 3.18.1 Version Update

Elementor released an update to version 3.18.1 today. It is unclear if this patch fixes the vulnerability as the Wordfence site currently states that the vulnerability is unpatched.

The changelog describes this update:

“Fix: Improved code security enforcement in File Upload mechanism”

This is a newly reported vulnerability and the facts may change. Wordfence however warns that hackers are already attacking Elementor websites because their paid version has already blocked eleven hacking attempts at the time of publishing the announcement.

Read the Wordfence advisory:

Elementor <= 3.18.0 Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import

Critical WordPress Form Plugin Vulnerability Affects Up To +200,000 Installs via @sejournal, @martinibuster

Security researchers at Wordfence detailed a critical security flaw in the MW WP Form plugin, affecting versions 5.0.1 and earlier. The vulnerability allows unauthenticated threat actors to exploit the plugin by uploading arbitrary files, including potentially malicious PHP backdoors, with the ability to execute these files on the server.

MW WP Form Plugin

The MW WP Form plugin helps to simplify form creation on WordPress websites using a shortcode builder.

It makes it easy for users to create and customize forms with various fields and options.

The plugin has many features, including one that allows file uploads using the [mwform_file name=”file”] shortcode for the purpose of data collection. It is this specific feature that is exploitable in this vulnerability.

Unauthenticated Arbitrary File Upload Vulnerability

An Unauthenticated Arbitrary File Upload Vulnerability is a security issue that allows hackers to upload potentially harmful files to a website. Unauthenticated means that the attacker does not need to be registered with the website or need any kind of permission level that comes with a user permission level.

These kinds of vulnerabilities can lead to remote code execution, where the uploaded files are executed on the server, with the potential to allow the attackers to exploit the website and site visitors.

The Wordfence advisory noted that the plugin has a check for unexpected filetypes but that it doesn’t function as it should.

According to the security researchers:

“Unfortunately, although the file type check function works perfectly and returns false for dangerous file types, it throws a runtime exception in the try block if a disallowed file type is uploaded, which will be caught and handled by the catch block.

…even if the dangerous file type is checked and detected, it is only logged, while the function continues to run and the file is uploaded.

This means that attackers could upload arbitrary PHP files and then access those files to trigger their execution on the server, achieving remote code execution.”

There Are Conditions For A Successful Attack

The severity of this threat depends on the requirement that the “Saving inquiry data in database” option in the form settings is required to be enabled in order for this security gap to be exploited.

The security advisory notes that the vulnerability is rated critical with a score of 9.8 out of 10.

Actions To Take

Wordfence strongly advises users of the MW WP Form plugin to update their versions of the plugin.

The vulnerability is patched in the lutes version of the plugin, version 5.0.2.

The severity of the threat is particularly critical for users who have enabled the “Saving inquiry data in database” option in the form settings and that is compounded by the fact that no permission levels are needed to execute this attack.

Read the Wordfence advisory:

Update ASAP! Critical Unauthenticated Arbitrary File Upload in MW WP Form Allows Malicious Code Execution

Featured Image by Shutterstock/Alexander_P

WordPress AMP Plugin Vulnerability Affects Up To 100,000+ Sites via @sejournal, @martinibuster

Accelerated Mobile Pages WordPress plugin, with over 100,000 installations, patched a medium severity vulnerability that could allow an attacker to inject malicious scripts to be executed by website visitors.

Cross-Site Scripting Via Shortcode

A cross-site scripting (XSS) is one of the most frequent kind of vulnerability. In the context of WordPress plugins, XSS vulnerabilities happen when a plugin has a way to input data that isn’t sufficiently secured by a process that validates or sanitizes user inputs.

Sanitization is a way to block unwanted kinds of input. For example, if a plugin allows a user to add text through an input field, then it should also sanitize anything else that is input into that form that doesn’t belong, like a script or a zip file.

A shortcode is a WordPress feature that allows users to insert a tag that looks like this [example] within posts and pages. Shortcodes embed functionalities or content that is provided by a plugin. This allows users to configure a plugin through an admin panel then copy and paste a shortcode into a post or page where they want the plugin functionality to appear.

A “cross-site scripting via shortcode” vulnerability is a security flaw that allows an attacker to inject malicious scripts into a website by exploiting the shortcode function of the plugin.

According to a report recently published by the Patchstack WordPress security company:

“This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.

This vulnerability has been fixed in version 1.0.89.”

Wordfence describes the vulnerability:

“Accelerated Mobile Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s shortcode(s) in all versions up to, and including, 1.0.88.1 due to insufficient input sanitization and output escaping on user supplied attributes.”

Wordfence also clarifies that this is an authenticated vulnerability which for this specific exploit means that a hacker needs at least a contributor permission level in order to take advantage of the vulnerability.

This exploit is rated by Patchstack as a medium severity level vulnerability, scoring a 6.5 on a scale of 1-10 (with ten being the most severe).

It’s advised that users check their installations so that they are patched to at least version 1.0.89.

Read the Patchstack report here:
WordPress Accelerated Mobile Pages Plugin <= 1.0.88.1 is vulnerable to Cross Site Scripting (XSS)

Read the Wordfence announcement here:
Accelerated Mobile Pages <= 1.0.88.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Featured Image by Shutterstock/pedrorsfernandes

WordPress 6.4.1 Maintenance Release Fixes Bugs In Version 6.4 via @sejournal, @martinibuster

WordPress released a maintenance release on Wednesday evening to fix problems discovered shortly after WordPress 6.4 was released to the public on Tuesday November 7th.

Two of issues were somewhat serious in that they affected the operation of certain plugins and could cause issues for sites encountering either of the two problems.

The third one was a typo that resulted in a misconfigured notice in the admin panel.

Three Issues Fixed

1. Typo
2. Removed code caused backward compatibility issues
3. Critical bug causes download to fail

Typo In Code – Minor Cosmetic Issue

The typo issue was relatively minor. It affected how a nag screen appeared in the administrator panel, causing it to stretch across the top of the page.

Before the fix:

After the fix:

Backward Compatibility Bug

This bug was one of those random things that can’t always be accounted for.

What happened is that core contributors removed code that the WordPress core was no longer using, thus it was supposed to be safe to remove.

But… that code was still being used by plugins and because it was now missing, WP 6.4 was apparently causing those plugins to break.

So the fix that is in this maintenance release is to add it back in.

Critical Bug Causing cURL Error

The last fix was for a bug that caused downloading updates to fail and show an error message saying that it timed out, cURL error 28: Operation timed out.

According to the internal WordPress discussion of how to fix this:

“This issue should be critical.

6.4 updated the Requests library version which included a breaking change for anyone running on a host with curl version 7.29 (at least).”

This issue was also another one of those random things. In this case, it involved servers that were using an older and outdated version of the cURL library (cURL 7.29). The latest version of cURL is 8.4.0.

Takeaway

WordPress releases test versions of WordPress for the community to test and report back any errors.

But if nobody experiences them then they show up when the final version is released and that is what happened.

The original WordPress 6.4 version that this new maintenance release updates was codenamed Shirley. The new maintenance release kind of begs to be codenamed Don’t call me Shirley.

Featured Image by Shutterstock/photosince

WordPress 6.4 Codenamed “Shirley” Released via @sejournal, @martinibuster

WordPress 6.4, code named Shirley was released, featuring a new default theme with many incremental but important enhancements that taken together make WordPress an easier and more intuitive content management system.

Josepha Haden Chomphosy, Executive Director of WordPress, described WordPress 6.4 best.

She wrote:

“Many of the features and enhancements in WordPress 6.4 fall in the “small but mighty” category.

Along with the adaptable beauty of the Twenty Twenty-Four theme, these updates help content creators and site developers alike save time and effort while delivering the high value, low hassle WordPress experience the world has grown to expect.”

New Default Theme

The latest version of WordPress ships with a new default theme, named Twenty Twenty-Four that contains 35 webpage layouts called patterns.

The thirty five patterns are full-page layouts that can be used to quickly create webpages.

Screenshot Of A Pattern Bundled With Twenty Twenty Four Theme

A new feature for 6.4 is the ability to categorize the patterns with custom names.

Users can create patterns then give them meaningful names that makes it easy to identify them.

Another new patterns feature is a filter that simplifies finding patterns.

These are examples of the small yet important changes, that while incremental together add up to a better experience.

Enhancements To Writing Experience

WordPress 6.4 contains improvements to make writing smoother and without friction.

New keyboard shortcuts and other enhancements that help make it easier to focus on the writing and not on the interface.

A new toolbar interface for navigation, list and quote blocks is attached to the parent block keeps it out of the way yet handy when needed.

The WordPress announcement explained:

“New enhancements ensure your content creation journey is smooth. Find new keyboard shortcuts in List View, smarter list merging, and enhanced control over link settings.

A cohesive toolbar experience for the Navigation, List, and Quote blocks lets you work efficiently with the tooling options you need.”

More New Features

Other features are new design tools, a lightbox functionality for site visitors to click and interact with images, ability to assign custom names to group blocks, new image previews in list view improves finding image blocks, and the ability to import and export patterns for use on other sites.

Developer Features

There are useful features for developers like block hooks.

WordPress describes how they will be useful to developers:

“Block Hooks enables developers to automatically insert dynamic blocks at specific content locations, enriching the extensibility of block themes through plugins.

While considered a developer tool, this feature is geared to respect your preferences and gives you complete control to add, dismiss, and customize auto-inserted blocks to your needs.”

100+ Performance Wins

WordPress 6.4 contains over one hundred performance improvements (Read: WordPress 6.4 Release Contains +100 Performance Wins)

These performance improvements are a sign of how important it is to the core developers that each release steadily improves performance.

Reception By The WordPress Community

The general response by the WordPress community is positive.

Andrew Wilder (LinkedIn profile) of WordPress support company NerdPress.net shared:

“Most of the changes I’m seeing for 6.4 aren’t terribly “sexy” — but there are hundreds of smaller improvements that, collectively, will keep WordPress moving forward nicely, so I’m happy to see the progress being made.

The changes to attachment pages will be a big help for SEO. By default, WordPress creates a separate “attachment page” for every media item, which can create hundreds (or thousands!) of useless, “thin content” pages. We still see clients who have these attachment pages but aren’t using them, or even aware that they exist. Particularly with the Helpful Content Updates recently, getting rid of those can really help improve a site’s overall SEO posture.

This update won’t change any existing sites — especially because some sites, like photography sites, may still want them — but new WordPress installations will have those attachment pages disabled by default.”

Katie Keith (LinkedIn profile), CEO of Barn2 Plugins (a plugin development company) was enthusiastic about this release.

Katie observed:

“I’m delighted that the new Twenty Twenty-Four theme has been released as part of WordPress 6.4 because it’s far superior to the last few years’ default themes.

Like other recent themes, it’s a fully accessible block theme – but this time, it has a clean, generic and modern design which will be suitable for a wide range of personal and business websites.

The new image lightboxes in WordPress 6.4 will be really useful, as so many website visitors expect to be able to click on an image to see a bigger version of it.

In fact I’m surprised that this wasn’t already available!

I was pleased to see that WordPress 6.4 has a new option to mark links as nofollow. Previously, you had to do this by switching to code view and adding the nofollow attribute manually, so having an option for this is much more user-friendly.”

Takeaway

WordPress 6.4 doesn’t contain any big flashy features. But what it does have is a lot of small improvements that together advances WordPress to a significantly better user experience.

While there are reports of conflicts with the Oxygen Visual Page Builder, the overall reaction is positive with much appreciation to the WordPress core team for another great release.

Read the WordPress announcement:

WordPress 6.4 “Shirley”

Featured Image by Shutterstock/Master1305

How Astra Is Making WordPress The Top Choice For Business via @sejournal, @martinibuster

Astra, the makers of the worlds most popular WordPress templates, announced it is investing in LatePoint, one of the most advanced online booking solutions and in the process is advancing WordPress as the go-to platform for businesses.

This move brings the powerful scheduling, booking and payment management capabilities of LatePoint to all users, especially those who use Astra.

What Is LatePoint?

LatePoint is a plugin that manages the entire online booking and appointment scheduling lifecycle.

It integrates with six different payment gateways:

• Braintree
• Paystack
• PayPal
• Razorpay
• Square
• Stripe

LatePoint also automates common workflow actions like sending email and SMS reminders, synchronizing with third party calendars and even automatically creating Zoom meetings.

LatePoint supports signups via Facebook and Google and integrates with Twilio. Businesses can even track performance in the admin dashboard where all the functions are viewable.

Diverse businesses such as online service providers to hair salons can use LatePoint to book appointments, schedule them, send reminders and collect payments in a seamless manner from one plugin.

The Astra announcement also lists these capabilities:

“Client database: Maintains a comprehensive client database, providing quick access to client histories, preferences, and contact information for personalized service.

Customizable booking forms: Tailor booking forms to gather specific information from clients, ensuring that appointments are booked with all necessary details.”

LatePoint Is Part Of A Larger Strategy

The closer one looks at what Astra has quietly been doing the clearer it becomes that they are creating a platform within a platform that enables small businesses to automate various processes in order to compete on the same level as much larger organizations.

For example, Astra is behind another WordPress plugin called SureTriggers.

What SureTriggers does is make it easy for small businesses to create event-driven automations between WordPress plugins as well as with third party SaaS.

SureTriggers offers history logs that show what the automations did between the linked plugins and third party SaaS in order to troubleshoot or keep track of what’s going on.

It supports workplace collaboration for creating automated workflows, supports custom webhooks and APIs.

SureTriggers even offers the ability to delay an action, conditional logic and filters that help create complex automations.

This is how SureTriggers describes what it does:

“Easily transfer data between your favourite apps and services like Mailchimp, Gmail, HubSpot, etc. Whatever you need to connect, SureTriggers has you covered.

SureTriggers seamlessly integrates with popular WordPress plugins like Gravity Forms, WooCommerce, Elementor, CartFlows, and many more.

Create multi-step automations that seamlessly execute a sequence of different tasks automatically after a specific event occurs, all customized by you.”

Adding the powerful LatePoint scheduling and appointment capabilities into that mix turns WordPress into a ridiculously  capable business platform that makes a small business perform at a level far higher than what was capable as recently as five years ago without spending a significant amount of money.

And it accomplishes all of this at a price that’s in reach of any small business.

Astra Integrates WordPress With Business

Of special interest is how LatePoint will seamlessly integrate with Astra’s SureCart, making Astra a strong competitor to WooCommerce. Astra also offers Spectra, their easy to use page builder that supports both the classic WordPress editor and the newer Gutenberg blocks.

Taken together, what Astra is doing is making WordPress perform like a dedicated business CMS but with all the benefits of the open source WordPress ecosystem.

Astra has quietly become a leader in extending the capabilities of WordPress in a way that increasingly makes WordPress an attractive choice for small businesses.

Their website templates are used by over 2.5 million websites worldwide, which gives them a huge pool of potential users or recommenders of LatePoint.

But what this investment makes clear is that Astra is quickly becoming the go-to solution for WordPress-based businesses as well as creating viable alternatives to private closed-source content management systems.

The Astra announcement makes no secret of their ambition to make WordPress a strong choice for businesses:

“We are excited to share knowledge, implement our ideas, deploy Brainstorm Force processes and work closely with the LatePoint team.

We can’t wait to bring an enterprise-grade, robust, modern, and reliable appointment and booking solution to the small businesses and larger WordPress community.

One thing that I can’t stress enough is we’re a mission driven organization. Everything we do is designed to unlock the power of the internet for small businesses.”

Tight Integration With Astra Products

Another interesting factor to consider is that Astra is promising tighter integration between their templates and all the other plugins they offer, such as the WooCommerce alternative SureCart and SureTriggers.

SureTriggers is an interesting piece of the Astra suite of business related plugins. SureTriggers enables WordPress users to integrate any other tool or plugin in order to create an automated workflow.

It works by connecting WordPress to hundreds of SaaS apps, automates WordPress plugins so they can work together and can even connect your different websites and services so that various tasks are automated.

One-Time Payment Pricing Offered For A Limited Time

Astra announced that they will be offering a lifetime payment deal that provides all the benefits of LatePoint with a single-payment lifetime license.

Astra LatePoint Investment

I hadn’t heard of LatePoint until learning of Astra’s investment in it. After researching what Astra has been doing it seems that they have been pursuing a strategy for making WordPress a strong choice for businesses.

Featured image by Shutterstock/NaMong Productions92

Vulnerability In Fluent Forms Contact Form WordPress Plugin via @sejournal, @martinibuster

The popular Fluent Forms Contact Form Builder plugin for WordPress, with over 300,000 installations, was discovered to contain a SQL Injection vulnerability that could allow database access to hackers.

Fluent Forms Contact Form Builder

Fluent Forms Contact Form Builder is one of the most popular contact forms for WordPress, with over 300,000 installations.

Its drag-and-drop interface makes creating custom contact forms easy so that users don’t have to learn how to code.

The ability to use the plugin to create virtually any kind of input form makes it a top choice.

Users can leverage the plugin to create subscription forms, payment forms, and forms for creating quizzes.

Plus it integrates with third party applications like MailChimp, Zapier and Slack.

Importantly, it also has a native analytics capability.

This incredible flexibility makes Fluent Forms a top choice because users can accomplish so much with just one plugin.

Input Neutralization

Every plugin that allows site visitors to input data directly into the database, especially contact forms, must process those inputs so that they do not inadvertently allow hackers to input scripts or SQL commands that allows malicious users to make unexpected changes.

This particular vulnerability makes the Fluent Forms plugin open to a SQL injection vulnerability which is particularly bad if a hacker is successful in their attempts.

SQL Injection Vulnerability

SQL, which means Structured Query Language, is a language used for interacting with databases.

A SQL query is a command for accessing, changing or organizing data that’s stored in a database.

A database is what contains everything that is used to create a WordPress website, such as passwords, content, themes and plugins.

The database is the heart and brain of a WordPress website.

As a consequence, the ability to arbitrarily “query” a database is an extraordinary level of access that should absolutely not be available to unauthorized users or software outside of the website.

A SQL injection attack is when a malicious attacker is able to use an otherwise legitimate input interface to insert a SQL command that can interact with the database.

The non-profit Open Worldwide Application Security Project (OWASP) describes the devastating consequences of a SQL injection vulnerability:

• “SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
• SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces. Due to the nature of programmatic interfaces available, J2EE and ASP.NET applications are less likely to have easily exploited SQL injections.
• The severity of SQL Injection attacks is limited by the attacker’s skill and imagination, and to a lesser extent, defense in depth countermeasures, such as low privilege connections to the database server and so on. In general, consider SQL Injection a high impact severity.”

Improper Neutralization

The United States Vulnerability Database (NVD) published an advisory about the vulnerability that described the reason for the vulnerability as from “improper neutralization.”

Neutralization is a reference to a process of making sure that anything that’s input into an application (like a contact form) will be limited to what is expected and will not allow anything other than what is expected.

Proper neutralization of a contact form means that it won’t allow a SQL command.

The United States Vulnerability Database described the vulnerability:

“Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Contact Form – WPManageNinja LLC Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms fluentform allows SQL Injection.

This issue affects Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms: from n/a through 4.3.25.”

Patchstack security company discovered and reported the vulnerability to the plugin developers.

According to Patchstack:

“This could allow a malicious actor to directly interact with your database, including but not limited to stealing information.

This vulnerability has been fixed in version 5.0.0.”

Although Patchstack’s advisory states that the vulnerability was fixed in Version 5.0.0, there is no indication of a security fix according to the Fluent Form Contact Form Builder changelog, where changes to the software are routinely logged.

This is the Fluent Forms Contact Form Builder changelog entry for version 5.0.0:

• “5.0.0 (DATE: JUNE 22, 2023)
  Revamped UI and better UX
• Global Styler Improvement
• The new framework for faster response
• Fixed issue with repeater field not appearing correctly on PDF
• Fixed issue with WPForm Migrator not properly transferring text fields to text input fields withcorrect maximum text length
• Fixed issue with entry migration
• Fixed number format in PDF files
• Fixed radio field label issue
• Updated Ajax routes to Rest Routes
• Updated filter & action hooks naming convention with older hooks support
• Updated translation strings”

It’s possible that one of those entries is the fix. But some plugin developers want to keep security fixes secret, for whatever reason.

Recommendations:

It’s recommended that users of the contact form update their plugin as soon as possible.

Featured image by Shutterstock/Kues

WordPress LiteSpeed Plugin Vulnerability Affects 4 Million Websites via @sejournal, @martinibuster

The popular LiteSpeed WordPress plugin patched a vulnerability that compromised over 4 million websites, allowing hackers to upload malicious scripts.

LiteSpeed was notified of the vulnerability two months ago on August 14th and released a patch in October.

Cross-Site Scripting (XSS) Vulnerability

Wordfence discovered a Cross-Site Scripting (XSS) vulnerability in the LiteSpeed plugin, the most popular WordPress caching plugin in the world.

XSS vulnerabilities are generally a type that takes advantage of a lack of a security process called data sanitization and escaping.

Sanitization is a technique that filters what kind of files can be uploaded via a legitimate input, like on a contact form.

In the specific LiteSpeed vulnerability, the implementation of a shortcode functionality allowed a malicious hacker to upload scripts they otherwise would not be able to had the proper security protocols of sanitization/escaping data been in place.

The WordPress developer page describes the sanitization security practice:

“Untrusted data comes from many sources (users, third party sites, even your own database!) and all of it needs to be checked before it’s used.

…Sanitizing input is the process of securing/cleaning/filtering input data.”

Another WordPress developer page describes the recommended process of escaping data like this:

“Escaping output is the process of securing output data by stripping out unwanted data, like malformed HTML or script tags.

This process helps secure your data prior to rendering it for the end user.”

This specific vulnerability requires that the hacker first obtain contributor level permissions in order to carry out the attack, which makes carrying out the attack more complicated than other kinds of threats that are unauthenticated (require no permission level).

According to Wordfence:

“This makes it possible for threat actors to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page.

While this vulnerability does require that a trusted contributor account is compromised, or a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.”

Which Versions of LiteSpeed Plugin Are Vulnerable?

Versions 5.6 or less of the LiteSpeed Cache plugin are vulnerable to the XSS attack.

Users of the LiteSpeed Cache are encouraged to update their plugin as soon as possible to the latest version, 5.7 which was released on October 10, 2023.

Read the Wordfence bulletin on the LiteSpeed XSS vulnerability:

4 Million WordPress Sites affected by Stored Cross-Site Scripting Vulnerability in LiteSpeed Cache Plugin

Featured Image by Shutterstock/Asier Romero