EDITS.WS

Author: Sarah Gooding

  • ACF Plugin’s Reflected XSS Vulnerability Attracts Exploit Attempts Within 24 Hours of Public Announcement

    On May 5, Patchstack published a security advisory about a high severity reflected cross-site scripting (XSS) vulnerability in ACF (Advanced Custom Fields), potentially affecting more than 4.5 million users. WP Engine patched the vulnerability on May 4, but the Akamai Security Intelligence Group (SIG)  is reporting that attackers began attempting to exploit it within 24 hours of Patchstack’s publication.

    “Once exploit vector details are publicly released, scanning and exploitation attempts rapidly increase,” Akamai Principal Security Researcher Ryan Barnett said. “It is common for security researchers, hobbyists, and companies searching for their risk profile to examine new vulnerabilities upon release. However, the volume is increasing, and the amount of time between release and said growth is drastically decreasing. The Akamai SIG analyzed XSS attack data and identified attacks starting within 24 hours of the exploit PoC being made public.

    “What is particularly interesting about this is the query itself: The threat actor copied and used the Patchstack sample code from the write-up.

    Patchstack’s security advisory includes a breakdown of the vulnerability, sample payload, and details of the patch.

    Although the vulnerability, assigned CVE-2023-30777, was promptly patched, and WP Engine alerted its users the same day, site owners have been slow to update to the latest, patched version of the plugin (6.1.6). Only 31.5% of the plugin’s user base are running version 6.1+, leaving a significant portion still vulnerable unless they are protected by additional security measures like virtual patches.

    “Exploitation of this leads to a reflected XSS attack in which a threat actor can inject malicious scripts, redirects, ads, and other forms of URL manipulation into a victim site,” Barnett said. “This would, in turn, push those illegitimate scripts to visitors of that affected site. This manipulation is essentially blind to the site owner, making these threats even more dangerous.”

    Barnett noted that attackers using the sample code from Patchstack indicates these are not sophisticated attempts, but the comprehensive security advisory makes vulnerable sites easy to target.

    “This highlights that the response time for attackers is rapidly decreasing, increasing the need for vigorous and prompt patch management,” Barnett said.

  • Themeum Acquires Kirki Customizer Framework Plugin

    Themeum, a WordPress theme and plugin company founded in 2013, has acquired the Kirki Customizer Framework plugin from its former developer, David Vongries. In April 2023, Vongries announced he was sunsetting the product and discontinuing development. He put the plugin up for sale for $30K and sold it for just under the asking price.

    “I met the Themeum team at WordCamp Europe in 2019 and have fond memories of our encounter,” Vongries said. “They reached out to me immediately after the blog post was published on the Tavern, where I expressed my search for a new home for Kirki.

    “Themeum is a major player in the WordPress world and I truly believe they’ll be a fantastic fit for Kirki. They have the resources to take the plugin to the next level and give it the attention it deserves.”

    Rayhan Arif, Assistant Vice President of Business Development at Themeum, is expecting the Kirki plugin to come under the profile of Themeum on WordPress org shortly. Themeum is the company behind Tutor LMS, Qubely – Advanced Gutenberg Blocks, and nearly a dozen other smaller plugins.

    “Since 2012, we have been deeply involved in creating a similar product on another platform,” Arif said. “Our past experiences have equipped us with the necessary skills and knowledge that we believe will greatly enhance the value of this plugin. With this improvement, developers will find it easier to add customization options to their WordPress themes. In a sense, this feels like a homecoming product for us.”

    Vongries reported that support on the plugin was “basically zero,” despite there being more than 600,000 active installs. This makes sense as it is a framework geared towards developers. The majority of the plugin’s users have installed the free version from WordPress.org.

    “There are only a hand full of Kirki PRO customers,” Vongries said, although some had grown unhappy with Kirki’s lack of development before the acquisition.

    Themeum does not have any block-based theme products at this time, so this Customizer-dependent plugin fits in with the company’s catalog.

    “Our initial focus will be on enhancing the plugin, after which we will undoubtedly proceed with integrating it into our themes,” Arif said.

    “We are considering making certain adjustments to our pricing or business model, all with the intention of benefiting both existing and future customers. For example, we might substantially decrease the price.”

    Existing users may be concerned about the product changing hands, but Arif said it’s unlikely they will experience significant changes.

    “The acquisition is unlikely to bring about any negative implications for users,” he said. “The only perceptible change will be that product maintenance will now be handled by a professional team, well-versed in technology and carrying a wealth of experience.”

  • ACF Launches New Annual Survey

    WP Engine has launched an annual survey for Advanced Custom Fields (ACF), one of the plugins it acquired from Delicious Brains in 2022. ACF reports more than 4.5 million active users, including PRO site installs, and WP Engine Product Manager Iain Poulson reports that the plugin is “growing in every way since the acquisition.” ACF has added more users, features, and releases, along with community building efforts like bi-weekly office hours.

    This is the first time ACF has surveyed its user base about how they are building sites with WordPress and what can be improved. The survey starts with questions about the contexts in which professionals are using ACF and the volume and types of sites they are building. Respondents are asked about how they edit their sites, the type of license they are using, how often the reach for ACF in their toolbox, and which ACF features they use most often (i.e. REST API, ACF Blocks, Options pages, ACF Forms, Post Types Registration, etc.).

    The survey is on the lengthier side with an estimated 15 minutes to complete. As ACF is a critical and indispensable part of many WordPress developers’ workflow, helping to shape its future development may be worth the time. WP Engine has also added a few questions that may only be tangentially related to ACF, such as where users are hosting their WordPress sites and what they use for local development.

    “It’s our primary method for gathering insights and feedback from the WP community on what they would like to see in ACF,” WP Engine Product Marketing Manager Rob Stinson said. He also related the importance of previous customer feedback that helped ACF’s team plan and implement features like registering CPTs and Taxonomies (v6.1).

    “In the near term, we’re working on bringing a UI to register Options Pages which is a PRO plugin feature, some long requested features like bi-directional relationship fields and improvements to conditional logic rules for taxonomy fields,” Poulson said. “We will also be focussing a release on more ACF Blocks features and improvements. The survey won’t likely change those planned features, and the initial results are validating our planned work on ACF Blocks.”

    The survey ends May 19, 2023, and WP Engine plans to publish an aggregated and anonymized version of the results soon after the data is collected.

  • Essential Addons for Elementor Patches Critical Privilege Escalation Vulnerability

    Essential Addons for Elementor, a plugin with more than a million active installs, has patched an unauthenticated privilege escalation vulnerability in version 5.7.2. The vulnerability was discovered on May 8, 2023, and reported by Patchstack researcher Rafie Muhammad. It was given a 9.8 (Critical severity) CVSS 3.1 score and is not yet known to have been exploited.

    Muhammad outlined the vulnerability in a security advisory published today:

    This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site.

    It is possible to reset the password of any user as long as we know their username thus being able to reset the password of the administrator and login on their account. This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user. 

    The plugin’s authors published the patch today, on May 11, with the following note in the changelog:

    5.7.2 – 11/05/2023
    Improved: EA Login/Register Form for Security Enhancement
    Few minor bug fixes & improvements

    The vulnerability affects sites using versions 5.4.0 to 5.7.1 of Essential Addons for Elementor. Users are advised to update to the latest version 5.7.2 immediately now that Patchstack has published the proof of concept for exploiting it.

  • MasterWP Launches 2023 WordCamp US Travel Program with $10K in Grants for Underrepresented Speaker Groups

    WordCamp US 2023, which is being held August 23-25 in National Harbor, has opened its call for speaker applications. If financial considerations are preventing anyone from applying, there are scholarships and grants available to help cover travel expenses. WCUS is now accepting applications for the Kim Parsell Memorial Scholarship for travel. This particular scholarship applies to anyone who is a WordPress contributor, identifies as a women, has never attended WCUS, and requires financial assistance to attend.

    In the interest of promoting a more diverse pool of speakers, MasterWP has launched its travel grant program for WCUS that will support a larger number of applicants. The program will provide more than $10,000 in grants for members of underrepresented groups who are accepted to speak at the event. Those who are selected will receive at least $1,000 towards their travel expenses.

    In 2022, the program paid for seven speakers and organizers from underrepresented groups attending WCUS in San Diego. This year MasterWP is aiming to support more speakers and has already received contributions from AccessiCart, Nexcess, Paid Memberships Pro, The WP Minute, and UnlimitedWP towards the fund. They are still accepting corporate grant partners and 100% of funds contributed go directly to the grant recipients.

    In recent years, flagship WordCamps have stepped up their work towards diversifying their speaker lineups, as the community has held organizers’ feet to the fire when events failed to recruit a diverse selection. WordCamp Europe has come under scrutiny once again this year for its response to criticism about the lack of diversity in its early speaker announcements. The event has a speaker support program that connects speakers to companies for financial support but is not involved in the selection process.

    “If we want to build WordPress for the next generation, we need to be inclusive,” StellarWP director of community engagement and WP Speakers project creator Michelle Frechette said.

    “The next generation is already demanding it. Inclusion is the future. Without it we are irrelevant.”

    MasterWP’s travel grant program was created as an independent initiative and is not affiliated with WordCamp or The WordPress Foundation. A growing dissatisfaction with speaker diversity at WordCamps has led WordPress companies to create their own means of supporting the diversity they hope to see at events.

    “My conversations with leaders at several major companies led me to believe that many well-meaning, friendly and progressive people simply do not understand that some people cannot afford to participate in the career-growth opportunity of attending a major WordCamp – a similar dynamic to the unfairness of unpaid internships,” MasterWP publisher Rob Howard said in a recap of the 2022 program.

    “Since diversity is fundamentally an economic issue, improving it requires economic change. The travel sponsorship is a small economic change that has already made a big impact.” 

  • WP Engine Releases Frost, A Free Block Theme for Website Builders

    The WordPress Themes Directory is now hosting more than 300 block themes, a milestone for the dedicated theme developers who have persevered through the growing pains and evolution of block theming. WP Engine is one of the newest theme authors who helped put the directory over the 300 mark with its submission of Frost.

    With its clean, minimal design, 36 patterns, and impeccable attention to detail on block styles, Frost is positioned to quickly become another blockbuster multipurpose theme. It already has more than 1,000 users as it has been in testing for awhile before landing in the official directory.

    Frost’s typography features Outfit, a geometric sans-serif font, for both header and paragraph text.

    The default color scheme is black and white with a vibrant blue accent color but Frost comes with eight different style variations. Frost designer Brian Gardner showcases a few in the tweet below, with Gutenberg’s full-screen previews for styles.

    When first installing the theme on a new WordPress site, clicking Customize takes the user to the Site Editor with the homepage template pre-filled so there’s no guesswork involved. Users can immediately start customizing any of the included templates. Frost packages all the usual ones – 404, archive, home, index, page, search, and single, but also includes a blank template and a “no title” template to help users with content that works better without the requirement of a title.

    Frost includes 36 patterns for building everything from pricing tables to portfolios, calls-to-action, testimonials, a grid of team members, various heroes, feature boxes, and more. Many of them have dark and light variations.

    There are also four full-page layouts that users can insert to build pages and launch websites faster, including About, Pricing, Home, and Links pages.

    Frost could easily be used for building agency websites, portfolios, business, sites, and more. It’s easy to see developers using it as a starter for multiple projects given its minimal design. If website builders are looking for an even more minimalist starting point, Gardner’s Powder theme is a stripped down fork of Frost.

    Check out the Frost theme on its own website at frostwp.com, which includes examples of all the patterns, layouts, styles, documentation, and more. Frost is available to download for free from WordPress.org.

  • WooCommerce 7.7.0 Brings Multichannel Marketing Out of Beta

    WooCommerce 7.7.0 was released this week with Multichannel Marketing now out of beta. This is the first thing store owners see when they visit the Marketing page in the dashboard. It allows users to connect additional sales channels, such as Google, Amazon, and eBay, and automatically manage inventory across storefronts.

    This addition makes WooCommerce more competitive with platforms like Shopify Plus. Merchants can connect different channels to the store by installing plugins. WooCommerce has documentation, including a quick start guide, for configuring Multichannel Marketing.

    Version 7.7.0 also introduces updated shopper notices with new, more consistent styles for Snackbar lists and Notice banners. More details on targeting the new CSS selectors is in the release post.

    A few other highlights in this release include the following:

    • Expanded styling options forProduct SKU, Product Price, and Product Image
    • New Product Reviews block that can be inserted on the Single Product template
    • More customization options for Add to Cart button
    • Expanded Mini Cart block customization options
    • New option to “Upgrade to Blockified Single Product template” from a classic template

    Check out the 7.7.0 release post to see all the new filters and template changes.

    WooCommerce is also running its 2023 twice yearly Developer Survey. The survey was designed to capture confidential feedback from developers who build on the WooCommerce platform in order to better understand their needs and make improvements.

  • WordPress Community Team Evolves WordCamp Format to Promote Adoption, Training, and Networking for Professionals

    WordPress’ Community Team hailed a new era of WordCamps in its recent announcement outlining a significant shift in the purpose for the events.

    In the past, WordCamps have had a mostly predictable format of presenting inspirational talks on exciting things people are doing with WordPress, business topics, and the latest trends, with short networking opportunities and a contributor day appended to the event.

    “Connection, inspiration, and contribution are undeniably important to WordPressers,” Automattic-sponsored WordPress community organizer Angela Jin said. “However, as events have returned, communities see that people are much more selective about what events they attend and want to know what they will gain by participating.” 

    After the pandemic, the number of WordCamps dwindled to a fraction of what they had been, as different areas of the world grappled with their own unique public health situations. The Community Team had loosened some of the requirements for WordCamps in order to foster a more welcoming environment for people to want to host in-person events.

    In an effort to modernize these gatherings moving forward, the team has proposed the following update to the purpose of WordPress events:

    WordPress events spark innovation and adoption by way of accessible training and networking for users, builders, designers, and extenders. We celebrate community by accelerating 21st-century skills, professional opportunities, and partnerships for WordPressers of today and tomorrow.

    Jin said she hopes a “period of innovation and experimentation will follow this critical shift in the purpose of our events” where events will be curated for more narrow audiences and have a focus on a specific type of content or topic.

    This shift also opens the door for more varied event formats, such as workshops, unconferences, job fairs, and pure networking events – which would have definitively been outside the traditional WordCamps of old and not officially supported by the project.

    Jin emphasized that WordPress will continue encouraging local meetups. Currently planned WordCamps (there are currently 14 on the schedule for 2023) can continue as before but new WordCamp applicants will be encouraged to experiment with new formats.

    “Flagships (WordCamp US, WordCamp Europe, WordCamp Asia): These will remain our largest, broadest event that fully capitalizes on the energy of a large crowd,” Jin said. “They will be the place to highlight the latest, greatest, and coolest in WordPress and where we are going.” 

    Reactions to the change in the purpose of WordCamp have been mostly positive but the community has some questions about how it will work. David Bisset, who helped run WordCamp Miami for over a decade, asks how this will impact smaller communities:

    I certainly would love to see more formats being tried, more standout content, etc. However, I’m trying to view this from a local and smaller WordCamp organizer mindset – what if I have a varied community and therefore a varied audience? Will having a particular audience in mind in setting content and promoting local WordCamps unknowingly not attract a more diverse audience? Many people come to conferences and WordCamps for certain talks and speakers and stay around for the rest.

    WordPress plugin developer David McCan commented that the new purpose statement reads more like educating and preparing a workforce in contrast to how WordCamps previously leaned towards empowering volunteers.

    Participants in the discussion are heavily in favor of giving more freedom to event organizers, but many have had irreplaceable experiences at WordCamps in their current format that they are reluctant to see it go. WordPress developer and contributor Ross Wintle commented that he hoped the change in purpose would not diminish the diversity at WordCamps.

    “While I think there’s some value in focussing on an audience, please don’t throw out the current WordCamps,” Wintle said. “I genuinely believe that one of the best things about these events is that I get to experience the diversity of the WordPress community and see the many, many different ways that WordPress is used, extended and developed for, and I get to meet the many, many talented people from across the spectrum of contribution who possess ideas, skills and experiences that I do not.

    “I’ve met so many amazing people who have different roles in WordPress, and I think the value of this is far higher than sitting in my bubble with the people that do the same things as me.”

    Marketing contributor Sé Reed asked Jin what team meeting, GitHub issue, or other documented discussion was available to follow the decision-making process for this major change to WordCamps, as no discussions were linked in the announcement.

    “To my mind, this kind of change (affecting the entire WordPress community and apparently effective immediately) is something that would make sense to discuss at the Community Summit,” Reed said. “As that ship has sailed, I’d like to at least see the discussion that led to it.”

    Jin has not yet responded to these questions but said in the announcement that as event organizers experiment with different formats for WordCamps, “the community team can reevaluate our full events program and how events coexist happily.”

  • WordPress Contributors Discuss How Core Can Better Enable AI Innovation

    As AI-powered technology is rapidly evolving to exponentially extend human capabilities, WordPress contributors do not want the platform to get left behind. AI-powered website creation could even become a threat to its existence, more than a competing CMS, if WordPress doesn’t ensure the platform is easily pluggable for AI-powered extensions. A new discussion on the Core developer’s blog asks what WordPress can do to better enable AI innovation.

    “WordPress Core always seeks to provide a stable foundation for folks to build upon directly and extend as they see fit,” Automattic-sponsored core contributor Anne McCarthy said. “Even if a new technology is not actually included in Core, the project aims to enable innovation and progress through extension (plugins, themes, etc.) wherever possible and sensible.”

    McCarthy shared a video of what it might look like to have AI integrated into Gutenberg’s experimental command center to build out pages based on AI-suggested designs. She asked three questions of contributors:

    • How would you want to see Core updated so it can be extended in ways accessible to AI technologies?
    • For those  building, or trying to build, with AI today, how does Core currently enable or hinder this effort?
    • Are there any concerns that you think the community should be aware of as this space is explored?

    WordPress co-founder Matt Mullenweg is optimistic about the prospect of further integrating AI into open source development.

    “In 2015 I told you to learn Javascript deeply,” Mullenweg said last month in the Post Status Slack. “I don’t have a catchy phrase yet, but my message for 2023 will be to spend as much time leveraging AI as possible. The boosts to productivity and capability are amazing. This is not a web3/crypto/widgets hype cycle. It’s real.”

    Mullenweg also encouraged WordPress professionals to consider how AI and open source can work together.

    “Open source and AI are the two mega-trends of the next 30 years,” he said. “They complement each other, and you should think deeply about how. ChatGPT can’t ready Shopify’s code.”

    StellarWP-sponsored contributor Matt Cromwell commented on the latest core discussion, suggesting that AI innovation is better left to plugin developers.

    “All AI options currently require integration with a 3rd party system, some sort of pricing and authentication, this feels to me to clearly be plugin territory,” Cromwell said.

    “The other concern here is that the current Core roadmap is very full. At what cost would the project chase an AI integration? At the expense of multi-editing collaboration features? At the expense of multi-lingual features? I find it hard to imagine pursuing the current roadmap with excellence and stability AND adding a huge AI integration as well.”

    Bluehost-sponsored contributor Jonathan Desrosiers, one of the reviewers of the post, clarified that the intention was to “fuel discussion around what AI looks like in the WordPress ecosystem and how that may be blocked currently.”

    “As you said, the roadmap is definitely full and adding new things should not be done unless there are extremely compelling reasons,” Desrosiers said. “But, if there are small “paper cut” changes that can be made in Core (new filter or action hooks, etc.) to allow plugins to better experiment and flesh out AI integrations in the WordPress world, I think that we certainly should consider these.”

    Cromwell suggested WordPress could add a settings panel for integrating various API’s, such as payment gateways and OpenAI API keys, to prevent conflicts and streamline API usage across multiple plugins.

    Rob Glidden proposed that contributors consider the possibility of having AI chatbots as a user type for the future collaboration workflow inside WordPress:

    I would suggest looking at AI chatbots as (“just another”) user type in the upcoming Phase 3 of collaboration/workflow.

    I for one want an AI chatbot on my multiuser collaboration team in a phase 3 WordPress.

    In the multiuser collaborative workflows already described in “Phase 3 Collaboration” it seems like basically the same infrastructure should work for both human users and AI “users”.

    Indeed, it is not a huge stretch in reading that document to think of “users”, “collaborators”, and “creators” as also being bot-ish users, assigned and performing tasks within a workflow.

    CodeWP-sponsored contributor James LePage echoed Cromwell’s concerns that focusing too much on integrating AI might make WordPress less competitive on the features that have already been identified for Gutenberg’s Phase 3 roadmap:

    As some others said here, as a WP user, I’d much prefer a really strong focus on the existing Phase 3 roadmap items as I think it would make our CMS a lot more valuable and competitive to other tools out there, as opposed to integrating AI somehow.

    One other thing is that there aren’t really any standards here. There are large players, but they keep changing the way their AI works, and probably will continue to do so. We’d be trying to hit a moving target.

    As much as WordPress contributors are spread thin across the project’s current Gutenberg roadmap of goals and improvements, you don’t get to choose when new technology is bearing down on your industry, forcing you to act or become obsolete. The WordPress community has built a robust plugin ecosystem, but leaving it all to third-party integrations may not be enough to keep the software relevant in the coming years. Ensuring that WordPress is compatible with the future of AI-powered innovation is critical if contributors want the platform to continue to be the best CMS and website builder available on the web.

  • Advanced Custom Fields Plugin Patches Reflected XSS Vulnerability

    Advanced Custom Fields (ACF) has patched a reflected XSS vulnerability that affects versions 6.1.5 and below of ACF and ACF Pro, potentially impacting more than 2+ million users. It was discovered by Patchstack researcher Rafie Muhammad in February 2023, and patched by ACF developers in version 6.1.6 in April.

    Patchstack published a security bulletin and Muhammad described the vulnerability as follows:

    This vulnerability allows any unauthenticated user to steal sensitive information for, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path. 

    The vulnerability was given a high severity CVSS score of 3.1. Muhammad outlined a proof of concept in the security bulletin. At this time, the vulnerability is not known to have been exploited. ACF free and ACF Pro users should update to the latest 6.1.6 version of the plugin as soon as possible.