WordPress 6.4.1 Fixes a Critical cURL/Requests Bug

WordPress contributors have worked quickly over the past 24 hours to prepare a 6.4.1 maintenance release after a critical bug emerged from a change in the Requests library, causing problems with updates on servers running older versions of cURL.

Hosting companies began reporting widespread impact of the bug. Tom Sommer, from one of Denmark’s largest hosting companies, filed a GitHub issue outlining how the cURL timeouts were affecting sites:

  • #657 breaks downloads towards https://api.wordpress.org/ and many other sites when using Curl 7.29.0 (and perhaps other versions)
  • Error: RuntimeException: Failed to get url 'https://api.wordpress.org/core/version-check/1.7/?locale=en_US': cURL error 28: Operation timed out after 10000 milliseconds with 807 out of -1 bytes received.
  • It also causes issues with the REST API in Site Health with the error: REST API response: (http_request_failed) cURL error 28: Operation timed out after 10005 milliseconds with XXX out of XXX bytes received”
  • It also prevents WordPress plugin and core updates, basically anything that relies on the internal Curl handler in WordPress.

The issue became a top priority as it wasn’t clear how it would be possible for users to receive an update.

“Even if you fix this now the issue prevents any future auto-upgrade to a 6.4.1, since it breaks Curl requests, so the only way for people to update would be manually,” Sommer said. “The longer you wait, the bigger the problem will become.”

Nexcess reported tens of thousands of sites being affected by the bug. The issue was beyond what most users would be able to manually patch on their own, relegating hosts to figure out how to update their customers.

“All my websites locked after updating to WordPress 6.4,” Javier Martín González reported. “The ones without updates are working normally.”

The bug was also reported to be causing causing potential Stripe API, WP-Admin, and performance issues.

Liquid Web/Nexcess product manager Tiffany Bridge summarized how this problem emerged:

It looks like:

  • Someone reported a bug having to do with an interaction between his Intrusion Protection System and WordPress
  • They then submitted their own patch to WordPress
  • The project lead for that area asked the submitter to write tests, which he did not do
  • Then they merged the PR anyway, despite the lack of tests
  • Meanwhile hosts are all going to have to revert that change ourselves on our own fleets so that our customers can still have little things like core and plugin updates if we are running an affected cURL version. (7.29 confirmed, there may be others)

WordPress core contributors will have to get to the bottom of how this bug was allowed through, via a postmortem or other discussion to prevent this from happening on such a large scale in the future.

WordPress 6.4.1 updates the Requests library from version 2.0.8 to 2.0.9. as a hotfix release to mitigate the issue. It reverts the problematic change. Version 6.4.1 also includes fixes for three other separate issues. Automatic updates shipped out this evening for anyone with sites that support automatic background updates.

Source: https://wptavern.com/wordpress-6-4-1-fixes-a-critical-curl-requests-bug

Introducing Twenty Twenty-Four Theme

When it comes to designing a website, one size doesn’t fit all. We understand that every WordPress user has unique needs and goals, whether you’re an aspiring entrepreneur, a passionate photographer, a prolific writer, or a bit of them all. That’s why we are thrilled to introduce Twenty Twenty-Four, the most versatile default theme yet—bundled with WordPress 6.4 and ready to make it uniquely yours.

A theme for every style

Unlike past default themes, Twenty Twenty-Four breaks away from the tradition of focusing on a specific topic or style. Instead, this theme has been thoughtfully crafted to cater to any type of website, regardless of its focus. The theme explores three different use cases: one designed for entrepreneurs and small businesses, another for photographers and artists, and a third tailored for writers and bloggers. Thanks to its multi-faceted nature and adaptability, Twenty Twenty-Four emerges as the perfect fit for any of your projects.

As you dive into its templates and patterns, you will notice how the new Site Editor functionality opens up different pathways for building your site seamlessly.

Patterns at every step

Whether you’re looking to craft an About page, showcase your work, handle RSVPs, or design captivating landing pages, Twenty Twenty-Four has got you covered. Choose from an extensive collection of over 35 beautiful patterns to customize and suit your needs.

For the first time, this theme features full-page patterns for templates like homepage, archive, search, single pages, and posts. Some are exclusively available during the template-switching and creation process, ensuring you have the right options when you need them.

Moreover, you can take advantage of a variety of patterns for page sections, such as FAQs, testimonials, or pricing, to meet your site’s most specific requirements.

With this diverse pattern library, Twenty Twenty-Four offers a flexible canvas to quickly assemble pages without having to start from scratch—saving you time and energy in the creation process. Just let your creativity flow and explore the possibilities!

Screenshots of Twenty Twenty-Four patterns.

Site editing in its finest form

Twenty Twenty-Four ushers in a new era of block themes by bringing together the latest WordPress site editing capabilities. Discover newer design tools such as background image support in Group blocks and vertical text, providing an intuitive and efficient way to create compelling, interactive content.

Find image placeholders with predefined aspect ratio settings within patterns, allowing you to drop images that perfectly fill the space. To go one step further, make your visuals interactive by enabling lightboxes. Ideal for showcasing galleries or portfolio images, this feature allows your visitors to expand and engage with them in full-screen mode. Activate it globally for all images throughout your site or for specific ones.

For a smoother browsing experience on your site, you can disable the “Force page reload” setting in the Query Loop block. This allows the necessary content to be loaded dynamically when switching between different pages without needing a full-page refresh.

Elegance with purpose

Twenty Twenty-Four goes beyond versatility with a beautiful aesthetic inspired by contemporary design trends, giving your website a sleek and modern look. Key design elements include:

  • Cardo font for headlines: The Cardo font adds a touch of elegance to your site, creating a sophisticated visual experience.
  • Sans-serif system font for paragraphs: The sans-serif font ensures that your texts are cleaner and easier to read, enhancing overall readability.
  • Eight style variations: Twenty Twenty-Four presents a light color palette for a fresh and inviting appearance out-of-the-box, but you can customize it with seven additional style variations. Each includes fonts and colors carefully curated to work beautifully alongside the patterns and templates.
  • Sans-serif variations: Besides the default styles, the theme offers two additional sans-serif variations, providing more choices for your site’s typography.

Along with its design, Twenty Twenty-Four has been meticulously optimized for performance. This ensures that your website not only looks great but also delivers a fast and efficient user experience.

Explore Twenty Twenty-Four now

More information can be found in the following links:

The Twenty Twenty-Four theme was designed by Beatriz Fialho and made possible thanks to the passion and tireless work of more than 120 contributors.

Source: https://wordpress.org/news/2023/11/introducing-twenty-twenty-four/

WordPress 6.4 Introduces Twenty Twenty-Four Theme, Adds Lightbox, Block Hooks, and Improvements Across Design Tools

WordPress 6.4 “Shirley” was released today, named for famed American jazz pianist and singer Shirley Horn. This release introduces a new batch of writing and design tools that give users more powerful customization capabilities inside the editor. We covered most of the changes as they were released in the Gutenberg plugin and added to core, but here are a few of the highlights.

Lightbox

WordPress now has core support for loading images in a lightbox. It’s a simple, yet elegant “expand on click” feature that allows visitors to expand images to be full-screen without leaving the page. The lightbox can be enabled on a per-image basis or site-wide under Styles » Blocks » Images.

Redesigned Command Palette

The Command Palette has gotten a design refresh in 6.4 in order to accommodate a growing catalog of commands available to help users perform tasks more efficiently. Users can access the tool inside the Site Editor and the Post Editor alike, with specific contextual command options for saving time across both editing experiences.

image credit: WordPress 6.4 release page
List View Improvements

The List View continues to get improvements to make it more useful for getting a condensed overview of the content at a glance. WordPress 6.4 adds media previews for the Gallery and Image blocks in the List View. It also allows users to assign custom names for Group blocks, which are visible in the List View so they can be easily organized.

image credit: WordPress 6.4 release post
Block Hooks

Block Hooks are a new developer feature, originally introduced in Gutenberg 16.4 for auto-inserting blocks. Developers can specify a location where a block will be inserted, such as before or after a template. Users can then reposition the blocks after insertion using the editor tools.

Twenty Twenty-Four

WordPress 6.4 ships with a brand new default theme, Twenty Twenty-Four. It was designed to be a multi-purpose theme, suitable for building a wide range of websites, including blogs, businesses, and portfolios. The theme comes with more than 35 templates and patterns. Check out a live demo to see all the full-page patterns, section patterns, and style variations available in Twenty Twenty-Four. It includes three different fully-built site demos for blogger, photographer, and entrepreneur use cases.

image credit: WordPress 6.4 About Page

Other notable improvements in 6.4 include the following:

  • Writing enhancements with new keyboard shortcuts, smoother list merging, and improved toolbar experience for the Navigation, List, and Quote blocks
  • Organize patterns with custom categories, new advanced filtering for patterns in the inserter
  • Expanded design tools: background images in Group blocks, ability to maintain image dimensions consistent with placeholder aspect ratios, add buttons to the Navigation block, and more
  • Share patterns across WordPress sites by importing and exporting them as JSON files from the Site Editor’s patterns view

Check out the beautiful 6.4 release page to see all the major features highlighted. Under the hood there are also more than 100 performance-related updates and a range of accessibility improvements that create a more consistent experience in the site and post editors.

This is the last major release planned for 2023. It includes contributions from more than 600 people across 56 countries, with 170 first-time contributors.

WordPress 6.4 was led by an underrepresented gender release squad, which Release Lead Josepha Haden Chomphosy organized “to welcome and empower diverse voices in the WordPress open source project.” Together they shipped 1,150 enhancements and fixes available now in 6.4.

Source: https://wptavern.com/wordpress-6-4-introduces-twenty-twenty-four-theme-adds-lightbox-block-hooks-and-improvements-across-design-tools

Several Critical Vulnerabilities Patched in AI ChatBot Plugin for WordPress

On September 28, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for multiple vulnerabilities in AI ChatBot, a WordPress plugin with over 4,000 active installations.

After making their initial contact attempt on September 28th, 2023, they received a response on September 29, 2023 and sent over their full disclosure details. Receipt of the disclosure by the vendor was acknowledged the same day and a fully patched version of the plugin was released on October 19, 2023.

Wordfence issued a firewall rule to protect paid customers. Users of the free Wordfence plugin will receive the same protection on October 29, 2023.

Please note that these vulnerabilities were originally fixed in 4.9.1 (released October 10, 2023). However, some of them were reintroduced in 4.9.2 and then subsequently patched again in 4.9.3. We recommend that all Wordfence users update to version 4.9.3 or higher immediately.

Source and full details: https://www.wordfence.com/blog/2023/10/several-critical-vulnerabilities-patched-in-ai-chatbot-plugin-for-wordpress

‘Log in with…’ Feature Allows Full Online Account Takeover for Millions

Hundreds of millions of users of Grammarly, Vidio, and the Indonesian e-commerce giant Bukalapak are at risk for financial fraud and credential theft due to OAuth misfires — and other online services likely have the same problems.

Flaws in the implementation of the Open Authorization (OAuth) standard across three prominent online services could have allowed attackers to take over hundreds of millions of user accounts on dozens of websites, exposing people to credential theft, financial fraud, and other cybercriminal activity. 

Researchers from Salt Labs discovered critical API misconfigurations on the sites of several online companies — artificial intelligence (AI)-powered writing tool Grammarly, online streaming platform Vidio, and Indonesian e-commerce site Bukalapak — that lead them to believe that dozens of other sites are likely compromised in the same way, they revealed in a report published Oct. 24.

OAuth is a widely implemented standard for allowing for cross-platform authentication, familiar to most as the option to log in to an online site with another social media account, such as “Log in with Facebook” or “Log in with Google.” 

The recently-discovered implementation flaws are among a series of issues in OAuth that the researchers have discovered in recent months, stretching across prominent online platforms that put users at risk. Salt researchers already had discovered similar OAuth flaws in the Booking.com website and Expo — an open source framework for developing native mobile apps for iOS, Android, and other Web platforms using a single codebase — that could have allowed account takeover and full visibility into user personal or payment-card data. The Booking.com flaw also could have allowed log-in access to the website’s sister platform, Kayak.com.

The researchers refer broadly to the latest issue found in Vidio, Grammarly, and Bukalapak as a “Pass-The-Token” flaw, in which an attacker may use a token — the unique, secret site identifier used to verify the handoff — from a third party site typically owned by the attacker himself to login to another service.

“For example, if a user logged in to a site called mytimeplanner.com, which is owned by the attacker, the attacker could then use the users token and log in on his behalf to other sites, like Grammarly for instance,” Yaniv Balmas, vice president of research at Salt, explains to Dark Reading.

The researchers found the latest issues in Vidio, Bukalapak, and Grammarly between February and April, respectively, and notified the three companies in turn, which all responded in a timely way. The misconfigurations all have since been resolved in these particular services, but that’s not the end of the story. 

“Just these three sites are enough for us to prove our point, and we decided to not look for additional targets,” according to the report, “but we expect that thousands of other websites are vulnerable to the attack we detail in this post, putting billions of additional Internet users at risk every day,”

Various Ways to Misconfigure OAuth

The issue manifests itself uniquely on each of the three sites. On Vidio, an online streaming platform with 100 million monthly active users, the researchers found that when logging into the site through Facebook, the site did not verify the token — which the website developers and not OAuth must do. Because of this, an attacker could manipulate the API calls to insert an access token generated for a different application, the researchers found.

“This alternate token/AppID combination allowed the Salt Labs research team to impersonate a user on the Vidio site, which would have allowed massive account takeover on thousands of accounts,” the researchers wrote in the report.

Like Vidio, Bukalapak — which has more than 150 million monthly users — also didn’t verify the access token when users registered using a social login. In a similar way, the researchers could insert a token from another website to access a user’s credentials and completely take over that user’s account.

The OAuth issue discovered on Grammarly — which helps more than 30 million daily users improve their writing by offering grammar, punctuation, spelling checks, and other writing tips — manifested itself slightly differently.

The researchers found that by doing reconnaissance on the API calls and learning the terminology the Grammarly site uses to send the code, they could manipulate the API exchange to insert code used to verify users on a different site and, again, obtain the credentials of a user’s account and achieve full account takeover.

Secure OAuth From the Start

OAuth itself is well-designed, and the major OAuth providers such as Google and Facebook have secure servers protecting them on the back end. However, those developing the services and sites that leverage the standard to perform the authentication handoff often create issues that render the exchange inherently insecure even if the site appears to function properly, Balmas says.

“It is very easy for anyone to add social-login functionality to his website … and everything will actually work quite fine,” he says. “However, without the proper knowledge and awareness, it is very easy to leave cracks that the attacker will be able to abuse and achieve very serious impact on all the website users.”

For this reason, it’s essential to the security of sites and services that leverage OAuth to be secure from an implementation standpoint, which may require that developers do some homework before building the standard into the site.

“Web services who wish to implement social login or any other OAuth-related functionalities should make sure they have a solid understanding of how OAuth works and common pitfalls that may have potential for being abused,” he says.

Developers can also use third-party tools that monitor for anomalies and deviations from typical behavior and which may identify as-yet unknown attacks, providing a safety net for the site and thus all of its users, Balmas adds.

Source: ‘Log in with…’ Feature Allows Full Online Account Takeover for Millions (darkreading.com)

4 Million WordPress Sites affected by Stored Cross-Site Scripting Vulnerability in LiteSpeed Cache Plugin

On August 14, 2023, the Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in LiteSpeed Cache plugin, which is actively installed on more than 4,000,000 WordPress websites, making it the most popular cache plugin. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.

All WordFence customers are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting protection.

WordFence contacted The LiteSpeed Cache Team on August 14, 2023, and we received a response on the same day. After providing full disclosure details, the developer team made a patch on August 16, 2023, and released it to the WordPress repository on October 10, 2023. We would like to commend the LiteSpeed Technologies for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of LiteSpeed Cache, version 5.7 at the time of this writing, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2023/10/4-million-wordpress-sites-affected-by-stored-cross-site-scripting-vulnerability-in-lightspeed-cache-plugin

4 Million WordPress Sites affected by Stored Cross-Site Scripting Vulnerability in LiteSpeed Cache Plugin

The popular LiteSpeed WordPress plugin patched a vulnerability that compromised over 4 million websites, allowing hackers to upload malicious scripts.

LiteSpeed was notified of the vulnerability two months ago on August 14th and released a patch in October.

Cross-Site Scripting (XSS) Vulnerability

Wordfence discovered a Cross-Site Scripting (XSS) vulnerability in the LiteSpeed plugin, the most popular WordPress caching plugin in the world.

XSS vulnerabilities are generally a type that takes advantage of a lack of a security process called data sanitization and escaping.

Sanitization is a technique that filters what kind of files can be uploaded via a legitimate input, like on a contact form.

In the specific LiteSpeed vulnerability, the implementation of a shortcode functionality allowed a malicious hacker to upload scripts they otherwise would not be able to had the proper security protocols of sanitization/escaping data been in place.

The WordPress developer page describes the sanitization security practice:

“Untrusted data comes from many sources (users, third party sites, even your own database!) and all of it needs to be checked before it’s used.

…Sanitizing input is the process of securing/cleaning/filtering input data.”

Another WordPress developer page describes the recommended process of escaping data like this:

“Escaping output is the process of securing output data by stripping out unwanted data, like malformed HTML or script tags.

This process helps secure your data prior to rendering it for the end user.”

This specific vulnerability requires that the hacker first obtain contributor level permissions in order to carry out the attack, which makes carrying out the attack more complicated than other kinds of threats that are unauthenticated (require no permission level).

According to Wordfence:

“This makes it possible for threat actors to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page.

While this vulnerability does require that a trusted contributor account is compromised, or a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.”

Which Versions of LiteSpeed Plugin Are Vulnerable?

Versions 5.6 or less of the LiteSpeed Cache plugin are vulnerable to the XSS attack.

Users of the LiteSpeed Cache are encouraged to update their plugin as soon as possible to the latest version, 5.7 which was released on October 10, 2023.

Source and more details: https://www.wordfence.com/blog/2023/10/4-million-wordpress-sites-affected-by-stored-cross-site-scripting-vulnerability-in-lightspeed-cache-plugin/

See also: https://www.searchenginejournal.com/wordpress-litespeed-plugin-vulnerability-affects-4-million-websites/499074/#close

WordPress 6.3.2 – Maintenance and Security release

This security and maintenance release features 19 bug fixes on Core, 22 bug fixes for the Block Editor, and 8 security fixes.

WordPress 6.3.2 is a short-cycle release. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement. Because this is a security release, it is recommended that you update your sites immediately. Backports are also available for other major WordPress releases, 4.1 and later.

The next major release will be version 6.4 planned for 7 November 2023.

If you have sites that support automatic background updates, the update process will begin automatically.

You can download WordPress 6.3.2 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”.

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release:

  • Marc Montpas of Automattic for finding a potential disclosure of user email addresses.
  • Marc Montpas of Automattic for finding an RCE POP Chains vulnerability.
  • Rafie Muhammad and Edouard L of Patchstack along with a WordPress commissioned third-party audit for each independently identifying a XSS issue in the post link navigation block.
  • Jb Audras of the WordPress Security Team and Rafie Muhammad of Patchstack for each independently discovering an issue where comments on private posts could be leaked to other users.
  • John Blackbourn (WordPress Security Team), James GolovichJ.D GrimesNuman TurleWhiteCyberSec for each independently identifying a way for logged-in users to execute any shortcode.
  • mascara7784 and a third-party security audit for identifying a XSS vulnerability in the application password screen.
  • Jorge Costa of the WordPress Core Team for identifying XSS vulnerability in the footnotes block.
  • s5s and raouf_maklouf for independently identifying a cache poisoning DoS vulnerability.

Source and more details: https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/ and https://www.wordfence.com/blog/2023/10/wordpress-6-3-2-security-release-what-you-need-to-know/

Unauthenticated File Upload Vulnerability Addressed in Royal Elementor Addons and Templates 1.3.79

During an investigation of a series of website being actively compromised we noticed the constant presence of the Royal Elementor Addons and Templates plugin installed. And all sites had at least one malicious file dropped into the /wpr-addons/forms/ directory.

As we reviewed the plugin it was found that the upload ajax action wasn’t properly validating the uploaded file’s extensions, allowing bad actors to bypass the check and drop malicious files to the /wpr-addons/forms/ directory.

Upon identifying the vulnerability, we promptly alerted the plugin development team, who released version 1.3.79 to fix the issue. It is crucial for administrators to ensure their WordPress installations are fully updated to safeguard against this vulnerability.

Source and full details: https://wpscan.com/blog/unauthenticated-file-upload-vulnerability-addressed-in-royal-elementor-addons-and-templates-1-3-79/

and https://www.wordfence.com/blog/2023/10/psa-critical-unauthenticated-arbitrary-file-upload-vulnerability-in-royal-elementor-addons-and-templates-being-actively-exploited/

Finding A RCE Gadget Chain In WordPress Core

During a recent team gathering in Belgium, WPScan had an impromptu Capture The Flag game that included a challenge with an SQL Injection vulnerability occurring inside an INSERT statement, meaning attackers could inject random stuff into the targeted table’s columns, and query information from the database, the intended “flag” being the credentials of a user on the affected blog.

The vulnerable SQL query inserted new rows into the wp_termmeta table, which while WPScan knew it could potentially lead to Object Injection attacks due to the inserted metadata being passed through maybe_unserialize upon retrieval, WPScan didn’t think too much about it since the common thought on the matter was that there was no known current RCE gadget chain in WordPress Core, and thus the challenge was “safe” since it didn’t use any other external plugins.

This proved to be enough to win that flag, however, the thought that there might be an alternative solution to the challenge piqued our curiosity. What if there was a working RCE gadget chain in Core waiting to be found?

Turns out, there was a way, which the WordPress Security Team fixed on version 6.3.2 by preventing several classes used in the final chain from either being unserialized at all, or restricting what some of their unserialized properties may contain.

Source and more details: https://wpscan.com/blog/finding-a-rce-gadget-chain-in-wordpress-core/