A reminder that the files in the uploads folder are publicly accessible if you know the URL … which may have been how the UK budget leaked early.

The latest version of FluentCart and noticed that they had a full security audit done by PatchStack. Way to go Fluent team! I wish more plugin developers would have a 3rd party audit.

The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the legacy chunked upload mechanism in all versions up to, and including, 2.9.21.1. This is due to the extension blacklist not including .phar files, which can be uploaded through the chunked upload mechanism. This makes it possible for unauthenticated attackers to upload executable .phar files and achieve remote code execution on the server, granted they can discover or enumerate the upload path. In order for an attacker to achieve RCE, the web server needs to be set up to process .phar file as PHP via file handler mapping or similar.

Many hosting platforms use Imunify360 AV. There is a critical vulnerability.

WordPress 6.8.3 is rolling out now. It is a security release and the core team is recommending that people update their sites now.

Patchstack is now reporting 2 low severity vulnerabilities for WordPress 6.8.2. The first is a Cross-Site Scripting issue that requires the attacker to have an Author or higher privilege level to exploit. The second is a Sensitive Data Exposure issue that requires Contributor level access to exploit.

If you are developing using npm packages then be aware that there is a supply chain attack in progress that so far has compromised more than 500 packages.

A selling point of many hosting providers is that they provide security for WordPress sites. Some hosting providers even suggest that WordPress security plugins are not needed if you are using their hosting. Well, Patchstack tested this out and the results weren’t good. Don’t get rid of your security plugins yet.

WordPress 6.8.2 included an update to the root security certificate bundle. This has now been backported to branches 4.7 to 6.7 and the updates to those versions are available now.