WordPress 5.9 Released

Posted on January 25, 2022February 1, 2022

WordPress 5.9 represents the largest release of Gutenberg features since the initial Gutenberg launch in WordPress 5.0. In addition, WordPress 5.9 includes 99 enhancements including Full Site Editing and 100 bug fixes.

Important things to know:

You need a block-based theme to actually use Full Site Editing. A block theme is a WordPress theme with templates entirely composed of blocks so that in addition to the post content of the different post types (pages, posts, …), the block editor can also be used to edit all areas of the site: headers, footers, sidebars, etc. Chances are: you aren’t using a block-based theme at the moment.
Full Site Editing is still in a current phase as a minimum viable product. This allows for a gradual adoption from users as most themes are still not ready to utilize this functionality or would be incompatible moving forward.
You don’t have to adopt Full Site Editing. If you aren’t ready for a block-based theme just yet, don’t worry. “Classic” themes continue to exist and work as always.

See the official details at https://wordpress.org/news/2022/01/josephine/.

Unauthenticated XSS Vulnerability Patched in HTML Email Template Designer Plugin

Posted on January 19, 2022February 1, 2022

WP HTML Mail is a WordPress plugin developed to make designing custom emails simpler for WordPress site owners. It is compatible with various WordPress plugins like WooCommerce, Ninja Forms, BuddyPress, and more. The plugin registers two REST-API routes which are used to retrieve email template settings and update email template settings. Unfortunately, these were insecurely implemented making it possible for unauthenticated users to access these endpoints.

Details: https://www.wordfence.com/blog/2022/01/unauthenticated-xss-vulnerability-patched-in-html-email-template-designer-plugin

84,000 WordPress Sites Affected by Three Plugins With The Same Vulnerability

Posted on January 13, 2022February 1, 2022

Researchers discovered vulnerabilities that can allow for full site takeover in login and e-commerce add-ons for the popular website-building platform.

Researchers have discovered three WordPress plug-ins with the same vulnerability that allows an attacker to update arbitrary site options on a vulnerable site and completely take it over. Exploiting the flaw does require some action from the site administrator, however.

On Nov. 5, 2021, the Wordfence Threat Intelligence team started a process to disclose a vulnerability researchers had found in “Login/Signup Popup,” a WordPress plug-in installed on more than 20,000 sites, Wordfence’s Chloe Chamberland wrote in a post published online Thursday.

However, a few days later they discovered that the flaw was present in two other plug-ins by the same developer, who goes by the online name of XootiX. They are “Side Cart Woocommerce (Ajax),” which has been installed on more than 60,000 sites, and “Waitlist Woocommerce (Back in stock notifier),” which has been installed on more than 4,000.

Sources:

https://threatpost.com/plugins-vulnerability-84k-wordpress-sites/177654/

https://www.wordfence.com/blog/2022/01/84000-wordpress-sites-affected-by-three-plugins-with-the-same-vulnerability

WordPress Security Update: 5.8.3

Posted on January 8, 2022January 31, 2022

On January 6, 2022, the WordPress core team released WordPress version 5.8.3, which contains security patches for 4 high-severity vulnerabilities. These patches were backported to every version of WordPress since 3.7.

Full analysis at https://www.wordfence.com/blog/2022/01/wordpress-5-8-3-security-release