Introducing RequireWP

RequireWP WordPress plugin header: "RequireWP" on top of a black barbell with a blue motion-blurred target to the right.

I built this new WordPress plugin, RequireWP, to help speed up the web. It extends WordPress’s WP_Scripts class to write your script requirements out with Require.js syntax. I have seen a ~20% speed increase (decline in load time) on this site which is using the plugin as well. After installing I just had to modify the theme’s required scripts since a few were not set correctly.

Continue reading “Introducing RequireWP”

WordPress 4.7.2: Hidden Exploit Fix

The WordPress logo. A "W" cut out of a dark gray circle with an outline of the same color. "WordPress" is written below the logo. "Word" is a dulled blue and "Press" is the same gray color as the logo.

The recently released version 4.7.2 of WordPress had an additional security fix which was not disclosed in the changelog when it was released. The issue? A privilege escalation / content injection bug in the REST API that allowed for the potential that anyone could edit any post.

How?

Part of the REST API had an improper check for a valid post. If it was not a valid post ID but still contained a valid ID within a string such as “134A” it would be converted to an integer (the A gets stripped away making it just “134”) which gives any user access to update the post via shortcodes (and possibly other routes).

This issue was fixed in 4.7.2 so make sure your WordPress install is updated!

Disclosure of Additional Security Fix in WordPress 4.7.2

Release: WordPress 4.7.2

The WordPress logo. A "W" cut out of a dark gray circle with an outline of the same color. "WordPress" is written below the logo. "Word" is a dulled blue and "Press" is the same gray color as the logo.

Last week WordPress released the second security update for version 4.7. There were 3 security issues fixed:

  • Interface for assigning taxonomy terms in Press This was shown to users who did not have permission
  • An SQL injection vulnerability was patched in the WP_Query class to prevent poorly coded plugins and themes from falling victim (involving post types)
  • Fixed a cross-site scripting (XSS) vulnerability in the post listing table (excerpts were not being escaped)

It is strongly encouraged that, if you are not using an automated update system, you manually update/upgrade your version of WordPress to this latest to prevent exploitation.

WordPress 4.7.2 Security Release

 

Release: WordPress 4.7.1

The WordPress logo. A "W" cut out of a dark gray circle with an outline of the same color. "WordPress" is written below the logo. "Word" is a dulled blue and "Press" is the same gray color as the logo.

WordPress, the open-source blogging and CMS platform, has released version 4.7.1, a security update to version 4.7.

The update fixes eight (8) major security issues as well as sixty-two (62) other various bugs found in 4.7.

  1. Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release.
  2. The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API.
  3. Cross-site scripting (XSS) via the plugin name or version header on update-core.php.
  4. Cross-site request forgery (CSRF) bypass via uploading a Flash file.
  5. Cross-site scripting (XSS) via theme name fallback.
  6. Post via email checks mail.example.com if default settings aren’t changed.
    A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing.
  7. Weak cryptographic security for multisite activation key.

It is strongly encouraged that you update your version of WordPress as soon as possible to avoid possible exploitations. As always, I also encourage everyone to read through the changelog to see what was fixed or what could be a potential issue in the future.

WordPress 4.7.1 Security and Maintenance Release

WordPress 4.7 “Vaughan” Released

The WordPress logo. A "W" cut out of a dark gray circle with an outline of the same color. "WordPress" is written below the logo. "Word" is a dulled blue and "Press" is the same gray color as the logo.

WordPress (WP) has released version 4.7 of their blogging and content management software. It has been codenamed in honor of the legendary jazz vocalist Sarah “Sassy” Vaughan. Here are some of the new features:

Twenty Seventeen

As always, new version, new theme…

WordPress 4.7's default theme: Twenty Seventeen. Twenty Seventeen focuses on business sites and features a customizable front page with multiple sections. Personalize it with widgets, navigation, social menus, a logo, custom colors, and more. Our default theme for 2017 works great in many languages, on any device, and for a wide range of users.
WordPress 4.7’s default theme: Twenty Seventeen

Theme Starter Content

When you setup a new theme with no content, the theme can provide some starter content to show off it’s capabilities.

Edit Shortcuts

New icons appear in the Customizer to show what content can be changed in real-time within the live preview.

Video Headers

Video headers can be added to themes with a video selector that shows up in the Customizer.

Blank Pages During Menu Creation

If you don’t have content for your site yet but know how you want your menu structured, the menu editor now allows creating blank pages on the fly while setting up the menu.

Custom CSS

Custom CSS can be added through the Customizer (note that such file-editing features are often disabled on most hosts as they often are the source of exploits and malware).

PDF Thumbnail Previews

PDFs that are uploaded now generate image previews just like images:

Image showing a PDF file with an image preview in the media library.

Dashboard in your language

The admin can now have it’s own per-user language set.

REST API Content Endpoints

Endpoints for posts, comments, terms, users, meta, and settings are provided by default in this version as they continue to build in the API components.

Post Type Templates for All

Post type templates are now available for all custom post types.

Custom Bulk Actions

One of the most-often requested features is now available in this version. In the past, adding custom bulk actions required a lot of hacking and going around the existing code. Now there are built-in functions to assist with adding custom actions that can be applied to many posts at once.

WP_Hook

The code that runs the actions and hooks has been rewritten, fixed a number of bugs, and added a few new capabilities.

Settings Registration API

The register_setting() function has been updated to include type, description, and REST API visibility.

Customizer Changesets

A new post status (customize_changeset) that is created when something is changed in the Customizer prior to being published. [More Information]