This is our daily post that is shared across Twitter & Telegram and published first on here with Kindness & Love XX on peace-truth.com/
#AceNewsRoom in Kindness & Wisdom provides News & Views @acebreakingnews
Ace Press News From Cutting Room Floor: Published: Jan.26: 2023:
#AceBreakingNews – Popular WordPress plugin Ultimate Shortcodes used in over 700,000 WordPress websites contains a CSRF vulnerability
Featured Image by Shutterstock/Cookie Studio
The United States government National Vulnerability Database (NVD) published an advisory about Shortcodes Ultimate WordPress plugin, warning that it was discovered to contain a Cross Site Request Forgery vulnerability.
Shortcodes Ultimate is a highly popular WordPress plugin with over 700,000 active installations.
The vulnerability affects plugin versions that are older than the current version 5.12.2.
Cross-Site Request Forgery Vulnerability
Cross-Site Request Forgery, commonly referred to as CSRF, is a type of vulnerability that can in the worst cases can lead to complete website takeover.
These kinds of vulnerabilities are generally caused by targeting a flaw in software that can trigger a change, which can then lead to unintended consequences.
A successful attack generally depends on a user, for example with administrative privileges, clicking on a link and unintentionally revealing information like a session cookie which can then be used to impersonate that person.
This kind of vulnerability depends on social engineering, which is manipulating an end user to complete an action which then takes advantage of the plugin vulnerability.
“CSRF is an attack that tricks the victim into submitting a malicious request.
It inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf…
For most sites, browser requests automatically include any credentials associated with the site, such as the user’s session cookie, IP address, Windows domain credentials, and so forth.
Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim.”
National Vulnerability Database (NVD)
The National Vulnerability Database published just a few details about the vulnerability. There is currently no complete breakdown of the vulnerability itself.
“Fixed issue with Shortcode Generator Presets, introduced in the previous update”
The above changelog appears to misspell the security researcher’s name, which is correctly spelled Dave Jong, CTO of Patchstack, the person who is credited with discovering and reporting the vulnerability.
Recommended Course of Action
WordPress publishers who currently use Shortcodes Plugin should consider updating to the very latest version, which at the time of writing is currently version 5.12.2.
Editor says …Sterling Publishing & Media Service Agency is not responsible for the content of external site or from any reports, posts or links, and can also be found here on Telegram: https://t.me/acenewsdaily and all wordpress and live posts and links here: https://acenewsroom.wordpress.com/and thanks for following as always appreciate every like, reblog or retweet and free help and guidance tips on your PC software or need help & guidance from our experts AcePCHelp.WordPress.Com
This is our daily post that is shared across Twitter & Telegram and published first on here with Kindness & Love XX on peace-truth.com/
#AceNewsRoom in Kindness & Wisdom provides News & Views @acenewsservices
Ace Press News From Cutting Room Floor: Published: Jan.20: 2023:
#AceNewsDesk – To round out the excellent vision-setting done in both the State of the Word and Letter to WordPress, here are some goals and projects that we can anticipate in the WordPress project this year.
A Quick Caveat
There are always unexpected projects that arise over the course of the year. And there are big projects to move forward in pieces over the course of multiple years. This project is too big for me to see everything all the time, and I rely on the information from team reps and the vision from project leadership to help navigate any surprises.
If you don’t see a project here, keep in mind that many are still valuable to the overall success of our work.
From 10,000 Feet
There are three pillars that the year’s projects are focused on:
Community: Re-engage our community through learning, events, and celebrating our 20th year as a project.
Ecosystem: Update distribution methods and mechanisms for extenders and Core itself.
I’ve compiled a preliminary list of individual projects that support one of the above goals and are planned for 2023. This list will be updated throughout the year.
WordPress Project Aims to Complete Customization Phase and Begin Exploring Collaboration in 2023
WordPress Executive Director Josepha Haden Chomphosy published a summary of the project’s “big picture” goals for 2023. The goals fall into three major categories: CMS, Community, and Ecosystem.
WordPress development will focus on completing the remaining tasks for Phase 2 (Customization), and will move on to begin exploring Collaboration in Phase 3.
“As we prepare for the third phase of the Gutenberg project, we are putting on our backend developer hats and working on the APIs that power our workflows,” Haden Chomphosy said in her recent Letter to WordPress.
“Releases during Phase 3 will focus on the main elements of collaborative user workflows. If that doesn’t make sense, think of built-in real-time collaboration, commenting options in drafts, easier browsing of post revisions, and programmatic editorial and pre-launch checklists.”
The vision for the first two phases was “blocks everywhere” and Haden Chomposy said this will be updated for Phase 3 to be centered on the idea of “works with the way you work.”
In addition to the Phase 3 APIs, Haden Chomphosy identified the following items as part of the CMS goals for 2023:
Openverse search in Core
Navigation block
Media management
Simplify the release process
PHP 8.2 compatibility (Core and Gutenberg)
Block theme development tools
Under the Community category, WordPress will be focusing on planning the Community Summit, which will be held at WordCamp US in 2023, contributor onboarding, improving Polyglot tools, establishing mentor programs, revamping WordPress.org designs, and keeping pace with learning content. The project is also aiming to develop a canonical plugin program, which should be helpful as some Performance team contributors recently expressed that they don’t fully understand what the process is for canonical plugins.
The Ecosystem category will focus on the WordPress Playground, an experimental project that uses WebAssembly (WASM) to run WordPress in the browser without a PHP server with many useful applications for contributors.
WordPress contributors also prevailed upon Matt Mullenweg to consider having the project devote some time to working through old tickets and fixing bugs. Mullenweg said he is amenable to tackling one long-standing ticket (the kind that are stuck because of missing decisions or multiple possible solutions) each month in 2023.
WORDPRESS & WP TAVERN NEWS REPORT
Editor says …Sterling Publishing & Media Service Agency is not responsible for the content of external site or from any reports, posts or links, and can also be found here on Telegram: https://t.me/acenewsdaily and all wordpress and live posts and links here: https://acenewsroom.wordpress.com/and thanks for following as always appreciate every like, reblog or retweet and free help and guidance tips on your PC software or need help & guidance from our experts AcePCHelp.WordPress.Com
This is our daily post that is shared across Twitter & Telegram and published first on here with Kindness & Love XX on peace-truth.com/
#AceNewsRoom in Kindness & Wisdom provides News & Views @acebreakingnews
Ace Press News From Cutting Room Floor: Published: Jan.18: 2023:
#AceNewsDesk – Jetpack Revamps Mobile App, WordPress.com Users Must Migrate to Keep Using Stats, Reader, and Notification Features
Say Hello to the New Jetpack Mobile App
Put WordPress in your pocket with the new Jetpack mobile app.
As we settle into 2023, we’ve been thinking about ways to help you get the most out of your WordPress site throughout the year. That’s where the new Jetpack mobile app comes in!
We know inspiration doesn’t wait for you to be sitting at your desk. It can strike anywhere. With the new Jetpack mobile app, you have the freedom to snap a photo to post while out on a walk, begin drafting your Bloganuary entry on your morning commute, or make tweaks to your content while on your lunch break.
Inspiration, we’re ready for you!
What’s more, the app brings the tools you need to manage and grow your site right to your fingertips:
Understand how your content is performing and know what’s resonating with your audience using Stats and Insights.
Reply to comments on the go, see when your traffic is booming, and stay engaged with your audience with Notifications.
Discover new bloggers and catch up with your favorite sites using the Reader.
We’re constantly working on new ways to improve the Jetpack app and make it the best possible way to WordPress on the go. Daily blogging prompts to help spark different content ideas are an example of one recent feature we’re excited to continue iterating on. In addition, you can now use the app to log into WordPress.com on your computer simply by scanning a QR code.
Have ideas for features or improvements you’d like to see within the app? We’re all ears! Let us know in the comments below.
FAQ
What’s the difference between the WordPress and the Jetpack apps?
Your favorite Jetpack-powered features from the WordPress app – including Stats, Notifications, and the Reader – have a new home: the Jetpack app! These features will soon be removed from the WordPress app so that its focus will be on essential user and publishing tools. With the Jetpack app, you can expect the same attention to core features like managing and editing content, as well as next-level tools to grow your audience on a trusted platform.
How do I migrate my data and settings from the WordPress app to the Jetpack app?
If you have the latest version of the WordPress app installed, your data and settings will be automatically transferred to the Jetpack app. Data that will be transferred includes locally stored content, saved posts, and other in-app preferences.
Simply download the Jetpack app and you’ll be “auto-magically” logged in with all your content in place.
Is there an additional cost?
The Jetpack app is free to download and you can continue to use the same features that you enjoy with the WordPress app, at no additional cost.
Why are there two apps, and which should I use?
WordPress comes in more than one flavor and serves a diverse range of site administration needs. After listening to a lot of feedback around varying expectations, we settled on creating two options for you to WordPress on the go:
The WordPress app will focus on WordPress’ core functionality. If you’re looking for the essential tools you need to publish on the go, with support for offline editing and the ability to upload media straight from your phone’s camera roll, then this may be the app for you.
The Jetpack app is the premium mobile publishing experience for our super-connected world. With it, you’ll get all the essential tools that come with the WordPress app, plus a suite of features for growing your site. Track the performance of your content with Stats, get notified about comments and reactions with Notifications, and discover content and join communities with the Reader. Whether you’re new to publishing on the Internet or a seasoned veteran, have a WordPress site already or want to start a new one — download the Jetpack app today for a great set of tools to start or grow!
Either app is available for you to use. Once you’ve decided which app is best for you, please delete the other. Managing your site across both apps is currently unsupported and may lead to issues like data conflicts.
We’re excited to offer different apps to suit different needs and will be sharing further details over the coming weeks. In the meantime, we want to hear from you! Please feel welcome to comment on this post with any questions or feedback you may have.
OPINION: When Automattic launched a mobile app for Jetpack in June 2021, it was targeted mainly at users who were on a paid Jetpack plan, as it enables access to features like backups, restores, and security scanning. Most importantly, the app gave Automattic a more direct path for monetizing Jetpack, without adding more commercial interests into the official WordPress apps.
This week Jetpack announced that it has revamped the app and is offering a more compelling reason for those using the free plan to migrate. As part of a longterm effort to refocus the official WordPress apps, features that require Automattic’s products (the Jetpack plugin or a WordPress.com account) in order to use them, will soon be removed. This includes the Stats, Reader, and Notifications features, which have been relocated to the Jetpack app. WordPress.com announcement for the revamped Jetpack app
WordPress.com users and Jetpack users on the free plan who previously relied on these features will need to switch to the free Jetpack mobile app. All the features that are moving over from the core WordPress app will still be free in the Jetpack app.
While most self-hosted Jetpack users may easily understand the need for the switch, this transition may be rougher for WordPress.com users who do not understand the history of the mobile apps and see it all as “WordPress.” They may not be aware that Automattic’s integrated products have been controversial features in the official WordPress apps for nearly a decade.
The announcement on WordPress.com is confusing, as it presents Jetpack as just a new optional app and doesn’t convey the urgency of migrating if users still want access to stats, notifications, the reader, and any additional paid features.
The post’s FAQ section describes the Jetpack app as “the premium mobile publishing experience for our super-connected world” and states that “the Jetpack app is free to download.” WordPress.com users who commented on the post found the words “premium” and “free to download” to be suspicious and confusing. They don’t understand the reason for two apps:
“Do we have to change over? I only want to blog, I’m not technical and I don’t understand why you have done this or how to use it?”
“So is WordPress now called Jetpack?”
“If it ain’t broke, don’t fix it. This move is not in your users’ best interests so why is it being done? This smacks of the recent pricing debacle.”
“I’m really disappointed by this decision. Why are you forcing us to use two apps? Your explanation of the differences makes no sense, and sounds like you made a decision for some reason you won’t tell us and you’re just trying to justify it. This is not user-focused at all.”
Users are also concerned about data loss, as those who are migrating to the newly revamped app are advised to delete the WordPress app after installing the Jetpack app. The announcement states that “Managing your site across both apps is currently unsupported and may lead to issues like data conflicts.”
One user asked if there are premium features in the Jetpack app that will carry additional cost, and if there is any advertising included within the app.
“For clarity, the Jetpack app is free to use and doesn’t include in-app advertisements,” Automattic representative Siobhan Bamber said.
“We’re still planning our 2023 roadmap, and it’s possible in-app purchases will be a part of our plans. The driving goal would be to offer features that bring most value to users, and we’re keen to hear any ideas or feedback. Any in-app purchases would be optional, with the currently free features remaining free to use.”
In response to those asking about the differences between the two apps, Bamber said there will be a couple more posts on the WordPress.com news blog in the following weeks.
Users will need to have the latest version of the WordPress app installed in order to automatically migrate their data and settings to the Jetpack app. This includes locally stored content, saved posts, and in-app preferences. The FAQ states that after users download the Jetpack app, they will be “auto-magically” logged in with all their content in place.
“One good way to confirm whether your version of the WordPress app supports ‘auto migration’ is to tap one of the in-app ‘Jetpack powered’ banners,” Bamber advised users in the comments. “You’ll find these banners at the bottom of sections including Stats and Reader. If you tap the banner, you’ll only see the ‘Switch to the new Jetpack app’ prompt in versions that support migration.”
The revamped Jetpack app has been presented to WordPress.com users as a more feature-rich way to publish to their websites, but it also lays the burden of choice on users to try to understand the difference between the two apps and select one for all the sites they manage. Many don’t want the inconvenience of switching to a new app. Based on the users’ responses, it might have been easier for them to understand that the official WordPress apps are removing all features require the Jetpack plugin or a WordPress.com account – instead of selling it as a new, shiny publishing experience.
Migrating to the Jetpack app is the best option if you want to continue using the Stats, Reader, and Notifications features. In order to make it easy for users to choose the best path forward, future posts on WordPress.com should make it crystal clear what features users can expect in each app and when they will need to take action.
Editor says …Sterling Publishing & Media Service Agency is not responsible for the content of external site or from any reports, posts or links, and can also be found here on Telegram: https://t.me/acenewsdaily and all wordpress and live posts and links here: https://acenewsroom.wordpress.com/and thanks for following as always appreciate every like, reblog or retweet and free help and guidance tips on your PC software or need help & guidance from our experts AcePCHelp.WordPress.Com
This is our daily post that is shared across Twitter & Telegram and published first on here with Kindness & Love XX on peace-truth.com/
#AceNewsRoom in Kindness & Wisdom provides News & Views @acebreakingnews
Ace Press News From Cutting Room Floor: Published: Jan.15: 2023:
#AceBreakingNews – Three popular WordPress plugins with tens of thousands of active installations are vulnerable to high-severity or critical SQL injection vulnerabilities, with proof-of-concept exploits now publicly available according to Bleeping Computer News
SQL injection is a website security flaw that allows attackers to input data into form fields or via URLs that modify legitimate database queries to return different data or modify a database.
Depending on the website code being vulnerable to a SQL injection flaw, an attacker could modify or delete data to a site, inject malicious scripts, or gain full access to the website.
Proof of Concept exploits released
The three vulnerable plugins were discovered by Tenable security researcher Joshua Martinelle, who reported them responsibly to WordPress on December 19, 2022, along with proofs of concept (PoCs).
The authors of the plugins released security updates to address the issues in the following days or weeks, so all problems have been fixed now, and those running the latest available version are no longer vulnerable.
Yesterday, the researcher disclosed technical details about each vulnerability with proof of concept exploits using the SLEEP function to demonstrate how the flaws work.
The first plugin that was found to be vulnerable to SQL injection is ‘Paid Memberships Pro,’ a membership and subscriptions management tool used in over 100,000 websites.
“The plugin does not escape the ‘code’ parameter in the /pmpro/v1/order REST route before using it in a SQL statement, leading to an unauthenticated SQL injection vulnerability,” reveals Tenable’s post.
The flaw is tracked as CVE-2023-23488, receiving a CVSSv3 severity rating of 9.8 (critical), and it affects all versions of the plugin older than 2.9.8. Paid Memberships Pro fixed the vulnerability on December 27, 2022, with the release of version 2.9.8.
Provided example of a test attack leveraging CVE-2023-23488(Tenable)
The second WordPress add-on vulnerable to SQL injection is ‘Easy Digital Downloads,’ an e-commerce solution for selling digital files with over 50,000 active installations.
“The plugin does not escape the ‘s’ parameter in the ‘edd_download_search’ action before using it in a SQL statement, leading to an unauthenticated SQL injection vulnerability,” explains Tenable.
“The vulnerable part of the code corresponds to the ‘edd_ajax_download_search()’ function of the ‘./includes/ajax-functions.php’ file.”
The vulnerability is tracked as CVE-2023-23489 and has received a CVSSv3 severity rating of 9.8, categorizing it as critical. The flaw impacts all versions below 3.1.0.4, released on January 5, 2023.
Finally, Tenable discovered CVE-2023-23490, a ‘high-severity’ SQL injection flaw in ‘Survey Marker,’ a WordPress plugin used by 3,000 websites for surveys and market research.
The flaw received a severity rating of 8.8, according to the CVSS v3, because the attacker has to be authenticated as at least a subscriber to exploit it.
However, this prerequisite is usually easy to fulfill, as many websites allow visitors to register as members.
Survey Marker was the quickest vendor to respond to Tenable’s SQL injection discovery, releasing a fixing update on December 21, 2022, with version 3.1.2.
While all of these plugins were vulnerable to SQL injection, and proof of concept exploits were released, Tenable did not share what impact they could lead if exploited in attacks.
However, as the bugs are categorized as critical, it is recommended that all sites using these plugins upgrade to the latest version.
Editor says …Sterling Publishing & Media Service Agency is not responsible for the content of external site or from any reports, posts or links, and can also be found here on Telegram: https://t.me/acenewsdaily and all wordpress and live posts and links here: https://acenewsroom.wordpress.com/and thanks for following as always appreciate every like, reblog or retweet and free help and guidance tips on your PC software or need help & guidance from our experts AcePCHelp.WordPress.Com
#AceNewsDesk – Popular WordPress plugin Ultimate Shortcodes used in over 700,000 WordPress websites contains a CSRF vulnerability according to SearchEngineLand by Roger Montti
The United States government National Vulnerability Database (NVD) published an advisory about Shortcodes Ultimate WordPress plugin, warning that it was discovered to contain a Cross Site Request Forgery vulnerability.
Shortcodes Ultimate is a highly popular WordPress plugin that has over 700,000 active installations.
The vulnerability affects plugin versions that are older than the current version 5.12.2.
Cross-Site Request Forgery Vulnerability
Cross-Site Request Forgery, commonly referred to as CSRF, is a type of vulnerability that can in the worst cases can lead to complete website takeover.
These kinds of vulnerabilities are generally caused by targeting a flaw in software that can trigger a change, which can then lead to unintended consequences.
A successful attack generally depends on a user, for example with administrative privileges, clicking on a link and unintentionally revealing information like a session cookie which can then be used to impersonate that person.
This kind of vulnerability depends on social engineering, which is manipulating an end user to complete an action which then takes advantage of the plugin vulnerability.
“CSRF is an attack that tricks the victim into submitting a malicious request.
It inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf…
For most sites, browser requests automatically include any credentials associated with the site, such as the user’s session cookie, IP address, Windows domain credentials, and so forth.
Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim.”
National Vulnerability Database (NVD)
The National Vulnerability Database published just a few details about the vulnerability. There is currently no complete breakdown of the vulnerability itself.
“Fixed issue with Shortcode Generator Presets, introduced in the previous update”
The above changelog appears to misspell the security researcher’s name, which is correctly spelled Dave Jong, CTO of Patchstack, the person who is credited with discovering and reporting the vulnerability.
Recommended Course of Action
WordPress publishers who currently use Shortcodes Plugin should consider updating to the very latest version, which at the time of writing is currently version 5.12.2.
Editor says …Sterling Publishing & Media Service Agency is not responsible for the content of external site or from any reports, posts or links, and can also be found here on Telegram: https://t.me/acenewsdaily and all wordpress and live posts and links here: https://acenewsroom.wordpress.com/and thanks for following as always appreciate every like, reblog or retweet and free help and guidance tips on your PC software or need help & guidance from our experts AcePCHelp.WordPress.Com
Versions 13.1 – 14.1 of the Gutenberg plugin will be rolled into core for 6.1. This includes features like improved block placeholders, more design tools for blocks, fluid typography, improvements to editor preferences and new modal interfaces, the use of block-based template parts in classic themes, locking settings for inner blocks, and more.
If you have the Gutenberg plugin installed, then you already have access to many of these features and may have been part of the testing process if you have reported bugs.
The bulk of the improvements in 6.1 is for the editor (700+ enhancements and bug fixes), but the rest of the core components also have 250 tickets that will make it into the next release.
These include improvements to build/test tools, new error logging and hooks for wp-cron.php, new oEmbed support for Google Data Studio and Pocket Casts, REST API debug mode, new introduction on Permalinks Setting screen, various Site Health improvements and more.
WordPress 6.1 is also set to introduce the highly anticipated new default theme, Twenty Twenty-Three, with 10 style variations contributed from WordPress’ community of designers.
Editor says …Sterling Publishing & Media Service Agency is not responsible for the content of external site or from any reports, posts or links, and can also be found here on Telegram: https://t.me/acenewsdaily and all wordpress and live posts and links here: https://acenewsroom.wordpress.com/and thanks for following as always appreciate every like, reblog or retweet and free help and guidance tips on your PC software or need help & guidance from our experts AcePCHelp.WordPress.Com
You must be logged in to post a comment.