There were multiple security vulnerabilities fixed in the Hide My WP plugin by wpWave which allowed unauthenticated SQL injection and allowed unauthenticated users to retrieve a token to deactivate the plugin. Do you want to be the first to be alerted about such vulnerabilities? Sign up for Patchstack. For plugin developers, we have security audit services and Threat Intelligence Feed […]
Welcome back to the Patchstack Weekly Security Update for November 18th, 2021! In this update, I will talk about some security concerns behind package management systems and cover GitHub’s commitment to security as it pertains to their own package management system, the NPM registry. I will then go on to answer the questions: “Are attackers […]
This blog post is about the difference between authentication and authorization and provides some tips for bug hunters and developers alike to better understand how it is handled in WordPress. The difference between authentication and authorization Let’s talk about authentication vs authorization, in that order, because that is the order they happen. First, you authenticate, […]
There was a critical security vulnerability in the WP Reset PRO plugin which allowed any authenticated user to wipe the database. Do you want to be the first to be alerted about such vulnerabilities? Sign up for Patchstack. For plugin developers, we have security audit services and Threat Intelligence Feed API for hosting companies. The PRO version of the WP Reset […]
Welcome to the Patchstack Weekly Update! It is November 4th, 2021. This is the first of a weekly series where you can get caught up on recent events relevant to open source security, with an initial focus on WordPress security. This series is brought to you by Patchstack and I am your host Robert, you […]
We’ve always wanted security to be accessible for as many people as possible. Earlier this year we opened a free-to-use WordPress vulnerability database that the WordPress community could use to keep up with the latest vulnerabilities. While our WordPress vulnerability database has become immensely popular, we’ve heard that many would love to set up alerts […]
Our whole team is incredibly happy to announce that Robert Rowley has joined Patchstack as a Security Advocate. Robert has been working in the security field since 2008, including being the director or head of security at prominent WordPress web hosts like Pagely and Dreamhost. He is a long-time supporter of open-source software and believes […]
UPDATE: As of 2022, Patchstack Red Team is known as Patchstack Alliance This is a Patchstack Red Team report for September 2021. In March 2021, Patchstack announced Patchstack Red Team – a community of independent security researchers who seek vulnerabilities within WordPress plugins, themes, and core. We’ve been taking the first half of the year […]
WordPress 5.8.1 is now available and there are 3 WordPress security issues fixed in that version. Altogether this security and maintenance release features 60 bug fixes in addition to 3 security fixes we will be focusing on in this article. Because this was a security release, it is recommended that you update your sites immediately. All versions since WordPress […]
On May 15th, 2020, a SQL injection vulnerability for the Photo Gallery plugin by 10Web (with 300k+ active installations) was published by a researcher at Sun* Cyber Security Research. Not soon after this, we noticed an increase in SQL injection attacks against WordPress sites. As you can see from the graph above, the attacks were […]