PSA: Critical POP Chain Allowing Remote Code Execution Patched in WordPress 6.4.2

WordPress 6.4.2 was released today, on December 6, 2023. It includes a patch for a POP chain introduced in version 6.4 that, combined with a separate Object Injection vulnerability, could result in a Critical-Severity vulnerability allowing attackers to execute arbitrary PHP code on the site.

We urge all WordPress users to update to 6.4.2 immediately, as this issue could allow full site takeover if another vulnerability is present.

Source and more details: https://www.wordfence.com/blog/2023/12/psa-critical-pop-chain-allowing-remote-code-execution-patched-in-wordpress-6-4-2

WordPress 6.4.1 Fixes a Critical cURL/Requests Bug

WordPress contributors have worked quickly over the past 24 hours to prepare a 6.4.1 maintenance release after a critical bug emerged from a change in the Requests library, causing problems with updates on servers running older versions of cURL.

Hosting companies began reporting widespread impact of the bug. Tom Sommer, from one of Denmark’s largest hosting companies, filed a GitHub issue outlining how the cURL timeouts were affecting sites:

  • #657 breaks downloads towards https://api.wordpress.org/ and many other sites when using Curl 7.29.0 (and perhaps other versions)
  • Error: RuntimeException: Failed to get url 'https://api.wordpress.org/core/version-check/1.7/?locale=en_US': cURL error 28: Operation timed out after 10000 milliseconds with 807 out of -1 bytes received.
  • It also causes issues with the REST API in Site Health with the error: REST API response: (http_request_failed) cURL error 28: Operation timed out after 10005 milliseconds with XXX out of XXX bytes received”
  • It also prevents WordPress plugin and core updates, basically anything that relies on the internal Curl handler in WordPress.

The issue became a top priority as it wasn’t clear how it would be possible for users to receive an update.

“Even if you fix this now the issue prevents any future auto-upgrade to a 6.4.1, since it breaks Curl requests, so the only way for people to update would be manually,” Sommer said. “The longer you wait, the bigger the problem will become.”

Nexcess reported tens of thousands of sites being affected by the bug. The issue was beyond what most users would be able to manually patch on their own, relegating hosts to figure out how to update their customers.

“All my websites locked after updating to WordPress 6.4,” Javier Martín González reported. “The ones without updates are working normally.”

The bug was also reported to be causing causing potential Stripe API, WP-Admin, and performance issues.

Liquid Web/Nexcess product manager Tiffany Bridge summarized how this problem emerged:

It looks like:

  • Someone reported a bug having to do with an interaction between his Intrusion Protection System and WordPress
  • They then submitted their own patch to WordPress
  • The project lead for that area asked the submitter to write tests, which he did not do
  • Then they merged the PR anyway, despite the lack of tests
  • Meanwhile hosts are all going to have to revert that change ourselves on our own fleets so that our customers can still have little things like core and plugin updates if we are running an affected cURL version. (7.29 confirmed, there may be others)

WordPress core contributors will have to get to the bottom of how this bug was allowed through, via a postmortem or other discussion to prevent this from happening on such a large scale in the future.

WordPress 6.4.1 updates the Requests library from version 2.0.8 to 2.0.9. as a hotfix release to mitigate the issue. It reverts the problematic change. Version 6.4.1 also includes fixes for three other separate issues. Automatic updates shipped out this evening for anyone with sites that support automatic background updates.

Source: https://wptavern.com/wordpress-6-4-1-fixes-a-critical-curl-requests-bug

Introducing Twenty Twenty-Four Theme

When it comes to designing a website, one size doesn’t fit all. We understand that every WordPress user has unique needs and goals, whether you’re an aspiring entrepreneur, a passionate photographer, a prolific writer, or a bit of them all. That’s why we are thrilled to introduce Twenty Twenty-Four, the most versatile default theme yet—bundled with WordPress 6.4 and ready to make it uniquely yours.

A theme for every style

Unlike past default themes, Twenty Twenty-Four breaks away from the tradition of focusing on a specific topic or style. Instead, this theme has been thoughtfully crafted to cater to any type of website, regardless of its focus. The theme explores three different use cases: one designed for entrepreneurs and small businesses, another for photographers and artists, and a third tailored for writers and bloggers. Thanks to its multi-faceted nature and adaptability, Twenty Twenty-Four emerges as the perfect fit for any of your projects.

As you dive into its templates and patterns, you will notice how the new Site Editor functionality opens up different pathways for building your site seamlessly.

Patterns at every step

Whether you’re looking to craft an About page, showcase your work, handle RSVPs, or design captivating landing pages, Twenty Twenty-Four has got you covered. Choose from an extensive collection of over 35 beautiful patterns to customize and suit your needs.

For the first time, this theme features full-page patterns for templates like homepage, archive, search, single pages, and posts. Some are exclusively available during the template-switching and creation process, ensuring you have the right options when you need them.

Moreover, you can take advantage of a variety of patterns for page sections, such as FAQs, testimonials, or pricing, to meet your site’s most specific requirements.

With this diverse pattern library, Twenty Twenty-Four offers a flexible canvas to quickly assemble pages without having to start from scratch—saving you time and energy in the creation process. Just let your creativity flow and explore the possibilities!

Screenshots of Twenty Twenty-Four patterns.

Site editing in its finest form

Twenty Twenty-Four ushers in a new era of block themes by bringing together the latest WordPress site editing capabilities. Discover newer design tools such as background image support in Group blocks and vertical text, providing an intuitive and efficient way to create compelling, interactive content.

Find image placeholders with predefined aspect ratio settings within patterns, allowing you to drop images that perfectly fill the space. To go one step further, make your visuals interactive by enabling lightboxes. Ideal for showcasing galleries or portfolio images, this feature allows your visitors to expand and engage with them in full-screen mode. Activate it globally for all images throughout your site or for specific ones.

For a smoother browsing experience on your site, you can disable the “Force page reload” setting in the Query Loop block. This allows the necessary content to be loaded dynamically when switching between different pages without needing a full-page refresh.

Elegance with purpose

Twenty Twenty-Four goes beyond versatility with a beautiful aesthetic inspired by contemporary design trends, giving your website a sleek and modern look. Key design elements include:

  • Cardo font for headlines: The Cardo font adds a touch of elegance to your site, creating a sophisticated visual experience.
  • Sans-serif system font for paragraphs: The sans-serif font ensures that your texts are cleaner and easier to read, enhancing overall readability.
  • Eight style variations: Twenty Twenty-Four presents a light color palette for a fresh and inviting appearance out-of-the-box, but you can customize it with seven additional style variations. Each includes fonts and colors carefully curated to work beautifully alongside the patterns and templates.
  • Sans-serif variations: Besides the default styles, the theme offers two additional sans-serif variations, providing more choices for your site’s typography.

Along with its design, Twenty Twenty-Four has been meticulously optimized for performance. This ensures that your website not only looks great but also delivers a fast and efficient user experience.

Explore Twenty Twenty-Four now

More information can be found in the following links:

The Twenty Twenty-Four theme was designed by Beatriz Fialho and made possible thanks to the passion and tireless work of more than 120 contributors.

Source: https://wordpress.org/news/2023/11/introducing-twenty-twenty-four/

WordPress 6.4 Introduces Twenty Twenty-Four Theme, Adds Lightbox, Block Hooks, and Improvements Across Design Tools

WordPress 6.4 “Shirley” was released today, named for famed American jazz pianist and singer Shirley Horn. This release introduces a new batch of writing and design tools that give users more powerful customization capabilities inside the editor. We covered most of the changes as they were released in the Gutenberg plugin and added to core, but here are a few of the highlights.

Lightbox

WordPress now has core support for loading images in a lightbox. It’s a simple, yet elegant “expand on click” feature that allows visitors to expand images to be full-screen without leaving the page. The lightbox can be enabled on a per-image basis or site-wide under Styles » Blocks » Images.

Redesigned Command Palette

The Command Palette has gotten a design refresh in 6.4 in order to accommodate a growing catalog of commands available to help users perform tasks more efficiently. Users can access the tool inside the Site Editor and the Post Editor alike, with specific contextual command options for saving time across both editing experiences.

image credit: WordPress 6.4 release page
List View Improvements

The List View continues to get improvements to make it more useful for getting a condensed overview of the content at a glance. WordPress 6.4 adds media previews for the Gallery and Image blocks in the List View. It also allows users to assign custom names for Group blocks, which are visible in the List View so they can be easily organized.

image credit: WordPress 6.4 release post
Block Hooks

Block Hooks are a new developer feature, originally introduced in Gutenberg 16.4 for auto-inserting blocks. Developers can specify a location where a block will be inserted, such as before or after a template. Users can then reposition the blocks after insertion using the editor tools.

Twenty Twenty-Four

WordPress 6.4 ships with a brand new default theme, Twenty Twenty-Four. It was designed to be a multi-purpose theme, suitable for building a wide range of websites, including blogs, businesses, and portfolios. The theme comes with more than 35 templates and patterns. Check out a live demo to see all the full-page patterns, section patterns, and style variations available in Twenty Twenty-Four. It includes three different fully-built site demos for blogger, photographer, and entrepreneur use cases.

image credit: WordPress 6.4 About Page

Other notable improvements in 6.4 include the following:

  • Writing enhancements with new keyboard shortcuts, smoother list merging, and improved toolbar experience for the Navigation, List, and Quote blocks
  • Organize patterns with custom categories, new advanced filtering for patterns in the inserter
  • Expanded design tools: background images in Group blocks, ability to maintain image dimensions consistent with placeholder aspect ratios, add buttons to the Navigation block, and more
  • Share patterns across WordPress sites by importing and exporting them as JSON files from the Site Editor’s patterns view

Check out the beautiful 6.4 release page to see all the major features highlighted. Under the hood there are also more than 100 performance-related updates and a range of accessibility improvements that create a more consistent experience in the site and post editors.

This is the last major release planned for 2023. It includes contributions from more than 600 people across 56 countries, with 170 first-time contributors.

WordPress 6.4 was led by an underrepresented gender release squad, which Release Lead Josepha Haden Chomphosy organized “to welcome and empower diverse voices in the WordPress open source project.” Together they shipped 1,150 enhancements and fixes available now in 6.4.

Source: https://wptavern.com/wordpress-6-4-introduces-twenty-twenty-four-theme-adds-lightbox-block-hooks-and-improvements-across-design-tools

WordPress 6.3.2 – Maintenance and Security release

This security and maintenance release features 19 bug fixes on Core, 22 bug fixes for the Block Editor, and 8 security fixes.

WordPress 6.3.2 is a short-cycle release. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement. Because this is a security release, it is recommended that you update your sites immediately. Backports are also available for other major WordPress releases, 4.1 and later.

The next major release will be version 6.4 planned for 7 November 2023.

If you have sites that support automatic background updates, the update process will begin automatically.

You can download WordPress 6.3.2 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”.

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release:

  • Marc Montpas of Automattic for finding a potential disclosure of user email addresses.
  • Marc Montpas of Automattic for finding an RCE POP Chains vulnerability.
  • Rafie Muhammad and Edouard L of Patchstack along with a WordPress commissioned third-party audit for each independently identifying a XSS issue in the post link navigation block.
  • Jb Audras of the WordPress Security Team and Rafie Muhammad of Patchstack for each independently discovering an issue where comments on private posts could be leaked to other users.
  • John Blackbourn (WordPress Security Team), James GolovichJ.D GrimesNuman TurleWhiteCyberSec for each independently identifying a way for logged-in users to execute any shortcode.
  • mascara7784 and a third-party security audit for identifying a XSS vulnerability in the application password screen.
  • Jorge Costa of the WordPress Core Team for identifying XSS vulnerability in the footnotes block.
  • s5s and raouf_maklouf for independently identifying a cache poisoning DoS vulnerability.

Source and more details: https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/ and https://www.wordfence.com/blog/2023/10/wordpress-6-3-2-security-release-what-you-need-to-know/

See your identity pieced together from stolen data

Have you ever wondered how much of your personal information is available online? Here’s your chance to find out.

We’ve all heard about high-profile data breaches at places like Optus and Medibank, but there are thousands more of them that we don’t hear about.

That’s why Australian online security expert Troy Hunt created Have I Been Pwned? — a service that tracks stolen data across the internet, and is used by numerous national governments, security services and law enforcement.

Now, we’ve used Hunt’s database to help you:

  • Find out what data breaches you’ve been caught up in
  • See a visual summary of the potential scale of the leaked information out there about you
  • Understand how something known as “the mosaic effect” can increase the risks we all face online

Enter your email address at the bottom of the linked page to see exactly how breached data can be used to piece together a detailed picture of your identity.

The ABC won’t collect your personal information. Details about the use of your information are available on the Have I Been Pwned privacy page.

PSA: Wordfence Brand Being Actively Used in Phishing Campaigns

Earlier this week we became aware that malicious actors are using Wordfence brand image to run a phishing scam on WordPress and Wordfence users, posing as unknown login notifications from their own website while linking to a fake login page, clearly aiming to steal WordPress login credentials.

If you have received a suspicious email like this you may want to ensure it is legitimate by checking a couple of telltale signs:

  • Wordfence notifications from your website will be sent from an email address matching your website (usually wordfence[@]your-website-domain).
  • Messages sent through our mailing list are sent exclusively from list@wordfence.com, and will display an unsubscribe link at the end of the message.
  • Wordfence login notifications from your website are not signed by our CEO and founder, Mark Maunder.

Details

This phishing campaign appears to be running via several custom domains, usually posing as Wordfence (or the Wordfence Team); for example:

  • From: Wordfence <matteo.fish[@]germanrottweillerpuppies.net>
  • From: Wordfence Team <jamir.bahhar[@]acmesecurityconcepts.com>
  • From: Wordfence <thea.santana[@]iznacquisitions.com>

The most important thing to be aware of for WordPress site owners is that in this phishing campaign, the WordPress login link found in the email will not direct to their own site. We have seen these emails link to several legitimate, but vulnerable, websites as part of their campaign, using open redirect vulnerabilities to minimize the risk of being detected as spam/phishing messages by mail security software.

Source and more details: https://www.wordfence.com/blog/2023/07/psa-wordfence-brand-being-actively-used-in-phishing-campaigns

Wordfence Firewall Blocks Bizarre Large-Scale XSS Campaign

The Wordfence Threat Intelligence team has been monitoring an increase in attacks targeting a Cross-Site Scripting vulnerability in Beautiful Cookie Consent Banner, a WordPress plugin installed on over 40,000 sites. The vulnerability, which was fully patched in January in version 2.10.2, offers unauthenticated attackers the ability to add malicious JavaScript to a website, potentially allowing redirects to malvertizing sites as well as the creation of malicious admin users, both of which are appealing use cases for attackers.

All Wordfence sites are protected against this vulnerability by the Wordfence Firewall’s Built-in Cross-Site Scripting protection. Note that since this vulnerability did not require a separate firewall rule, statistics for it are not currently publicly available on Wordfence Intelligence as they are aggregated under the general Cross-Site Scripting chart, where it currently accounts roughly over two-thirds of all attacks blocked by the rule.

According to WordFence records, the vulnerability has been actively attacked since February 5, 2023, but this is the largest attack against it that they have seen. WordFence has blocked nearly 3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023, and attacks are ongoing.

It is believed that this is the work of a single actor, as every single attack contained a partial payload of onmouseenter=" and no further functioning JavaScript. It is likely that this set of attacks is being performed using a misconfigured exploit that expects a customized payload, and that the attacker has simply failed to provide one.

Despite this fact, if your website is running a vulnerable version of the plugin and you are not currently using Wordfence or another Web Application Firewall, these attacks do have the potential to corrupt the configuration of the plugin which can break its intended functionality, so we still recommend updating to the latest version, which is 2.13.0 at the time of this writing, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2023/05/wordfence-firewall-blocks-bizarre-large-scale-xss-campaign

WordPress 6.2.2 Security Release

The 6.2.2 minor release addresses 1 bug and 1 security issue. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.9 have also been updated.

WordPress 6.2.2 is a rapid response release to address a regression in 6.2.1 and further patch a vulnerability addressed in 6.2.1. The next major release will be version 6.3 planned for August 2023.

The update process will begin automatically if you have sites that support automatic background updates.

You can download WordPress 6.2.2 from WordPress.org or visit your WordPress Dashboard, click “Updates,” and click “Update Now.”

Full info: https://wordpress.org/news/2023/05/wordpress-6-2-2-security-release/

WordPress Core 6.2.1 Security & Maintenance Release – What You Need to Know

On May 16, 2023, the WordPress core team released WordPress 6.2.1, which contains patches for 5 vulnerabilities, including a Medium Severity Directory Traversal vulnerability, a Medium-Severity Cross-Site Scripting vulnerability, and several lower-severity vulnerabilities.

These patches have been backported to every version of WordPress since 4.1. WordPress has supported automatic core updates for security releases since WordPress 3.7, and the vast majority of WordPress sites should receive a patch for their major version of WordPress automatically over the next 24 hours. We recommend verifying that your site has been automatically updated to one of the patched versions. Patched versions are available for every major version of WordPress since 4.1, so you can update without risking compatibility issues.

If your site has not been updated automatically we strongly recommend updating manually as soon as possible, as one of the vulnerabilities patched in this release can be used by an attacker with a low-privileged contributor-level account to take over a site.


Vulnerability Analysis

As with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain protected.

WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack. This vulnerability would not be easy to exploit in an impactful manner on most configurations.

WordPress Core is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the ‘wp_ajax_set_attachment_thumbnail’ AJAX function in versions up to, and including, 6.2. This allows unauthenticated users to update the thumbnail image associated with existing attachments, granted they can trick an authenticated user with appropriate permissions into performing an action, such as clicking a link. The impact of this vulnerability is incredibly minimal and we do not expect to see any exploitation of this weakness.

WordPress Core is vulnerable to stored Cross-Site Scripting in versions up to, and including, 6.2, due to insufficient validation of the protocol in the response when processing oEmbed discovery. This makes it possible for authenticated attackers with contributor-level and above permissions to use a crafted oEmbed payload at a remote URL to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress Core fails to sufficiently sanitize block attributes in versions up to, and including, 6.2. This makes it possible for authenticated attackers with contributor-level and above permissions to embed arbitrary content in HTML comments on the page, though Cross-Site scripting may be possible when combined with an additional vulnerability. Please note that this would only affect sites utilizing a block editor compatible theme.

WordPress Core processes shortcodes in user-generated content on block themes in versions up to, and including, 6.2. This could allow unauthenticated attackers to execute shortcodes via submitting comments or other content, allowing them to exploit vulnerabilities that typically require Subscriber or Contributor-level permissions. While this is likely to have minimal impact on its own, it can significantly increase the severity and exploitability of other vulnerabilities.

Conclusion

In today’s article, we covered five vulnerabilities patched in the WordPress 6.2.1 Security and Maintenance Release. Most actively used WordPress sites should be patched via automatic updates within the next 24 hours.

The Wordfence firewall’s built-in directory traversal protection should block attempts to exploit the directory traversal vulnerability, and it would typically only be impactful when exploited by a skilled attacker in certain configurations. Most of the other issues fixed today are similar in that they require specific configurations or circumstances, such as other vulnerable plugins, to impactfully exploit.

However, we urge all site owners to verify that WordPress is updated as soon as possible since it is not practical to deploy a firewall rule that protects against the oEmbed issue and as such any site with untrusted contributor-level users may be at risk.

As always, we strongly recommend updating your site to a patched version of WordPress if it hasn’t been updated automatically. As long as you are running a version of WordPress greater than 4.1, an update is available to patch these vulnerabilities while keeping you on the same major version, so you will not need to worry about compatibility issues.

Source and more details: https://www.wordfence.com/blog/2023/05/wordpress-core-6-2-1-security-maintenance-release-what-you-need-to-know