I built this new WordPress plugin, RequireWP, to help speed up the web. It extends WordPress’s WP_Scripts class to write your script requirements out with Require.js syntax. I have seen a ~20% speed increase (decline in load time) on this site which is using the plugin as well. After installing I just had to modify the theme’s required scripts since a few were not set correctly.
The recently released version 4.7.2 of WordPress had an additional security fix which was not disclosed in the changelog when it was released. The issue? A privilege escalation / content injection bug in the REST API that allowed for the potential that anyone could edit any post.
Part of the REST API had an improper check for a valid post. If it was not a valid post ID but still contained a valid ID within a string such as “134A” it would be converted to an integer (the A gets stripped away making it just “134”) which gives any user access to update the post via shortcodes (and possibly other routes).
This issue was fixed in 4.7.2 so make sure your WordPress install is updated!
Last week WordPress released the second security update for version 4.7. There were 3 security issues fixed:
- Interface for assigning taxonomy terms in Press This was shown to users who did not have permission
- An SQL injection vulnerability was patched in the WP_Query class to prevent poorly coded plugins and themes from falling victim (involving post types)
- Fixed a cross-site scripting (XSS) vulnerability in the post listing table (excerpts were not being escaped)
It is strongly encouraged that, if you are not using an automated update system, you manually update/upgrade your version of WordPress to this latest to prevent exploitation.
WordPress, the open-source blogging and CMS platform, has released version 4.7.1, a security update to version 4.7.
The update fixes eight (8) major security issues as well as sixty-two (62) other various bugs found in 4.7.
- Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release.
- The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API.
- Cross-site scripting (XSS) via the plugin name or version header on update-core.php.
- Cross-site request forgery (CSRF) bypass via uploading a Flash file.
- Cross-site scripting (XSS) via theme name fallback.
- Post via email checks mail.example.com if default settings aren’t changed.
A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing.
- Weak cryptographic security for multisite activation key.
It is strongly encouraged that you update your version of WordPress as soon as possible to avoid possible exploitations. As always, I also encourage everyone to read through the changelog to see what was fixed or what could be a potential issue in the future.
WordPress (WP) has released version 4.7 of their blogging and content management software. It has been codenamed in honor of the legendary jazz vocalist Sarah “Sassy” Vaughan. Here are some of the new features:
As always, new version, new theme…
Theme Starter Content
When you setup a new theme with no content, the theme can provide some starter content to show off it’s capabilities.
New icons appear in the Customizer to show what content can be changed in real-time within the live preview.
Video headers can be added to themes with a video selector that shows up in the Customizer.
Blank Pages During Menu Creation
If you don’t have content for your site yet but know how you want your menu structured, the menu editor now allows creating blank pages on the fly while setting up the menu.
Custom CSS can be added through the Customizer (note that such file-editing features are often disabled on most hosts as they often are the source of exploits and malware).
PDF Thumbnail Previews
PDFs that are uploaded now generate image previews just like images:
Dashboard in your language
The admin can now have it’s own per-user language set.
REST API Content Endpoints
Endpoints for posts, comments, terms, users, meta, and settings are provided by default in this version as they continue to build in the API components.
Post Type Templates for All
Post type templates are now available for all custom post types.
Custom Bulk Actions
One of the most-often requested features is now available in this version. In the past, adding custom bulk actions required a lot of hacking and going around the existing code. Now there are built-in functions to assist with adding custom actions that can be applied to many posts at once.
The code that runs the actions and hooks has been rewritten, fixed a number of bugs, and added a few new capabilities.
Settings Registration API
The register_setting() function has been updated to include type, description, and REST API visibility.
A new post status (customize_changeset) that is created when something is changed in the Customizer prior to being published. [More Information]