This release also introduces a sync status on the pattern details screen to give more information to site owners when managing patterns. The custom patterns label has been changed to “My Patterns” in the Patterns sidebar. A new lock icon designates theme patterns as unable to be edited or modified. All of these changes were cherry-picked from this version of Gutenberg and are included in the upcoming WordPress 6.3 major release, as of Beta 3.
Gutenberg 16.2 introduces a vertical text orientation, which can be applied using a block’s typography settings. At this time the feature is only available when the theme author opts in for the theme to support it, but it may be expanded in the feature.
“This new feature is a first step towards full support of vertically written languages as well as for decorative purposes in website design,” Automattic-sponsored Gutenberg contributor Bernie Reiter said in the release post.
Footnotes, which were introduced in Gutenberg 16.1, received several usability improvements in this release. The first iteration was bare bones with the footnotes created automatically and then inserted at the bottom of the content. This update makes a Footnotes block available in the block inserter, so users can place it again in case it gets deleted.
Other notable improvements in Gutenberg 16.2 include the following:
Command Tool has been renamed to Command Palette
“Home†template renamed to “Blog Home†for clarity
Adds confirmation step when deleting a template
Experiments: Create wordpress/interactivity with the Interactivity API
It also appears the Gutenberg team is preparing for the eventual deprecation of TinyMCE.
“We’ve added a new Gutenberg Experiment to explore a potential path towards the deprecation of TinyMCE,” Reiter said. “When enabled, it prevents loading TinyMCE assets and Classic blocks by default, only enabling them if usage is detected. The update also handles scenarios where posts contain Classic blocks or users input raw HTML, offering conversion options or reloading to use the Classic block.”
Check out the Gutenberg 16.2 release post for more details on the enhancements and bug fixes included in this release.
As the dev notes for the upcoming WordPress 6.3 release are rolling out, there are so many exciting features that have not yet been highlighted. The new development mode, initiated by declaring the WP_DEVELOPMENT_MODEÂ constant, is one that will be particularly useful for theme developers initially.
“The development mode configured on a site defines the kind of development work that the site is being used for,” Google-sponsored WordPress Core Committer Felix Arntz said. This mode is not recommended for production sites.
The possible values for the WP_DEVELOPMENT_MODEÂ constant include core, plugin, theme, all, or an empty string (which is the default). The “all” value is applicable to sites where all three aspects may be modified, such as a client website in progress.
“There are currently only a few use-cases in WordPress core which are determined by the development mode, but this will likely increase in the future,” Arntz said. “Most usage today relates to theme.json caching.”
Since the cache is usually only invalidated when the theme is updated, it can become cumbersome to developers who are actively modifying theme.json and have to manually invalidate it to see their changes. This caching functionality is bypassed when the value is set to “theme.”
Although the WP_ENVIRONMENT_TYPE constant seems similar to the new developer mode, it specifically denotes whether the environment is development, staging, or production but does not specify what type of development is being done.
“It is likely that you will only use the WP_DEVELOPMENT_MODE constant on a site where WP_DEBUG is enabled and WP_ENVIRONMENT_TYPE is either ‘development’ or ‘local,’ since it is not advised for development to occur directly against staging or production environments,” Arntz said.
For more details on when and how to use Developer Mode, and code samples for checking if development mode is active on a site, developers can refer to the dev note published to the make.wordpress.org/core blog.
Bluehost launched its new WonderSuite product this week, which introduces a setup and site creation experience guided by AI. In September 2022, the hosting company debuted its managed WooCommerce packages after acquiring YITH, a WordPress plugin company with more than 100 WooCommerce extensions. The new WonderSuite product is included in all Bluehost WordPress hosting plans and is not specific to online stores.
WonderSuite brings together solutions from YITH and Yoast and integrates them into a new unified design that is based on Yoast’s open source React component library. This interface was introduced as an update in Yoast 20.0 with mixed feedback. Although many users reacted positively to the modern design, some are not keen on plugins building their own UI in the admin. Bluehost is using this component library to streamline and unify the UI for its various products inside the admin.
WonderSuite is aimed at small and medium-sized businesses, agencies, and freelancers who are just getting online. The major update here is the WonderStart onboarding experience that asks the user specific questions and then populates other parts of the website building process with their answers. For example, social media handles will automatically sent to SEO optimization and added to the social buttons block.
Bluehost also pulls the WonderStart data into the WonderBlocks, which are used to create a library of block patterns and page templates using images and suggested text based on the user’s entries during onboarding. All of this works with the block-based YITH Wonder Theme, which is free on WordPress.org and active on more than 10,000 sites.
Wonder theme users have access to some patterns and templates but Bluehost customers have more designs available to them in combination with WonderBlocks. Those hosting with Bluehost who don’t want to use the default Wonder Theme will can still use the WonderBlocks pattern library with any block-based theme.
Bluehost is one example of a host that is putting AI to use inside the admin. The new WonderHelp section is an AI-powered guide that users can tap into during the site-building process. Users can ask it to create a blog and the feature will provide a guide inside the site builder with instructions for what to do on each page.
The company is working on a feature called WonderAssist that is anticipated later in 2023. It will provide AI-powered content generation with relevant copy, product descriptions, and SEO-friendly excerpts integrated with the other parts of WonderSuite.
Bluehost’s e-commerce customers also have access to WonderCart, which provides a collection of cross-sell and upsell features, along with promotional and discount options inside a single, unified interface, instead of spread across multiple plugins and tools.
Existing Bluehost customers can find the updated plugin in their WordPress sites with the new products available. Onboarding is currently only available for users starting new websites but a representative said they are working on creating a path that allows existing customers to re-route through the onboarding experience.
WordPress’ admin is on deck for a long-awaited makeover after Gutenberg lead architect MatÃas Ventura published plans for a revamped admin design as part of the Phase 3: Collaboration road map.
“As WordPress turns twenty years old, the overall aim of this work is to improve upon this experience at a foundational design level, giving plugins and users more control over the navigation while ensuring each WordPress experience is recognizable, intuitive, accessible, and delightful,” Ventura said.
His post is a follow-up to some earlier admin concepts he published a year ago which evolves the admin towards more fluid browsing and editing flows. This is similar to the block editor design that positions the admin frame as a shell that wraps around a canvas that contains the content in a zoomed state. Instead of users clicking back to access navigation tools, the tools remain present but outside of the canvas view.
Although contributors have not yet officially produced any designs for the project, Ventura shared a light version of an admin concept.
One aspect of the proposed plans that has energized the developer community is the prospect of the admin getting rebuilt with an extensible design system.
“This effort is also an opportunity to formalize the design primitives and interaction paradigms that are part of the UI component system begun in wordpress/components,” Ventura said.
“A crucial aspect is to ensure WordPress itself is built with the same pieces and APIs that plugin authors can use. Aside from color themes, our set of primitive components also need to work in dense environments like the editor, as well as environments that need more breathing room and focus like admin sections. Density, clarity, usability, and accessibility are paramount.”
The admin design concepts have renewed developers’ excitement about the future of WordPress, but they are also hoping this revamp will solve several long-standing problems with the interface.
“It’s really about aligning APIs, ensuring we have semantic descriptions of capabilities, and offering the right levels of controls for both plugins and users,” Ventura said.
“I know it’s a fairly limited example, but there’s a nice balance in the ability to pin or unpin plugin sidebars on the editor, from the perspective that plugins can be opinionated, and users can still interact with those opinions.”
Another challenge that concerns developers is ensuring the new design adequately accommodates WordPress sites with large numbers of posts, pages, categories, menus, comments, and other things that can easily overwhelm a UI that was intended to be simplified.
“As part of leveraging the components across the admin interface, we need to address functional gaps (like table and list views, bulk editing operations, etc) and assist plugin needs for anything that might not be already addressed that should be addressed,” Ventura said. “Ultimately, the design library needs to be showcased in the wordpress.org website as a clear resource for people building upon WordPress.”
Developers who participated in the comments were optimistic about the project and reacted positively to the concepts Ventura shared.
“I often say, white space is where the magic happens,” WordPress designer and developer Brian Gardner said.
“The light admin concept is breathtaking and gets me even more excited than I am now about the future of WordPress.”
Several developers commented on how eagerly they are awaiting an update to a modern UI that reduces the number of page refreshes.
“Wow! It’s gonna be amazing!” WPMarmite founder Alex Borto said. “A complete admin fluid browsing experience is much needed. I dream of navigating through the admin area without any page loads!”
For years, WordPress developers have been expected to try to match WordPress’ dated admin UI on their settings pages and the Yoast SEO plugin drew criticism when it released version 20.0 with a new modern interface. Many users are not keen on plugins building their own UI in the admin, as it can make things more confusing. Having a standard set of UI components would make things easier for developers who are extending WordPress.
“This gives me great optimism about securing the next 20 years of WordPress’s success,” WordPress developer Mike McAlister said. “The fact that you can do anything with WordPress is incredible, it’s probably our biggest strength.
“But without standardized design patterns for the admin, we’ve seen that devolve into a UI/UX headache with plugin and theme developers baking their own experiences inside WordPress. Reining this in and creating a unified experience for everyone to buy into will not only make it easier on product creators, it will also be a huge win for users.”
Ventura said this document is just an outline of the admin design project and that it will be followed up with more in-depth design explorations further down the road.
All-In-One Security (AIOS), a plugin active on more than a million WordPress sites, was found to be logging plaintext passwords from login attempts in the database and has patched the security issue in version 5.2.0.
I was absolutely shocked that a security plugin is making such a basic security 101 error (not to mention being out of compliance with NIST 800-63-3, ISO27000, CIS, HIPAA, GDPR, ….)
How can I stop the logging of clear text passwords?
How can this be fixed so we don’t fail the upcoming security review and audit by our third-party compliance auditors?
A support representative from AIOS confirmed that it was a known bug in the last release and offered a development copy of a zip file with a fix. It took more than two weeks for the patch to be published.
In version 5.2.0, released on July 10, 2023, AIOS included the following security updates in the plugin’s changelog:
SECURITY: Remove authentication data from the stacktrace before saving to the database
SECURITY: Set tighter restrictions on what subsite admins can do in a multisite.
Users are advised to update to version 5.2.0+ immediately in order to secure their sites. At the time of publishing, almost no users have updated to 5.2.0+, leaving hundreds of thousands of users who are running 5.1.9 still vulnerable.
“So far the developer haven’t even told the users to change all passwords,” Patchstack CEO Oliver Sild said in response to the issue on Twitter. “Due to the scale, we will 100% see hackers harvest the credentials from the logs of compromised sites that run (or has run) this plugin.
“We have also sent out vulnerability alert to all Patchstack users. Hopefully the Updraft team will do the same and will tell their security plugin users to clean those logs ASAP and ask all the site users to change the passwords where ever they used the same combinations.”
WordPress’ Community Team kicked off its experimental mentorship program this week, announcing that the inaugural cohort has been assigned to a group of mentors who will guide them forward on project contribution across various teams.
“Our mentors offer 1:1 support to each contributor in our cohort,” Automattic-sponsored Community Team contributor Hari Shanker R said. “These mentors check-in with mentees each week to offer them support and guidance on the program and to answer any questions that they may have.”
Mentees graduate from the program after completing self-directed courses, participating in “learn-up” sessions, selecting a contributor team, and making an initial contribution to the team. Optionally, mentors may guide their mentees through a three-month contribution plan. The goal is to create new ongoing contributors through the program.
A group of 13 mentees have been selected from 50 applications and will participate across eight teams, including Core, Training, Community, Documentation, Photos, Test, Polyglots, and Support.
“While our group is not in a position to assign mentors to everyone, the activities and tasks of our cohort will be shared in the newly-formed #contributor-mentorship channel of the Make/WordPress Slack, where interested folks can join most of our contributing sessions and onboarding sessions which will also be shared widely with our community.”
Other open source projects, such as Drupal, have supported mentoring programs that have been used to successfully engage new contributors at events, inspire more collaboration, and foster a learning environment.
Earlier this year the Linux Foundation published a report from a recent study on Mentorship in Open Source. It surveyed more than 100 mentees from the LFX Mentorship graduating class of 2020 and 2021, and 99% reported the program was beneficial. Nearly half of the graduates (47%) said it helped them get a job.
The report explores the additional benefits of mentorship programs beyond increasing contribution to the open source project itself. Quality mentorship programs can have an economic and career impact on mentees, as well as increase diversity across the project and help new contributors get more connected to the community.
WordPress’ Community team has already invested time from 22 facilitators and 13 mentors in getting the program launched. The structure offers a somewhat more formal experience similar to a short internship, but it’s still in the early stages and may change based on feedback from participants.
“This program is an experiment—our hope is to learn as much as possible from the same to improve mentorship in the WordPress project and to support and empower more contributors,” Shanker said.
The State of Digital Publishing, a startup market research publisher focused on digital media, is hosting an online event called WordPress Publishers Performance Summit (WPPS) on July 27, starting at 2PM EST. The organization’s mission is to help publishers develop sustainable business models through education, guides, online courses, and other resources. They have partnered with Multidots, a WordPress development agency and WordPress.com VIP Gold Partner, who is sponsoring the event.
WPPS will feature 10 panelists speaking on best practices for managing and optimizing the performance of WordPress publishing sites. Panelists have been selected from high performance teams at The Boston Globe, Forbes, Multidots, WordPress.com VIP, Parse.ly, and other publishers.
The schedule includes four 40-minute sessions over the span of four hours:
How to do less: evaluate your website’s performance and metrics
Reasons why your Core Web Vitals are not passing
Successfully securing and scaling WordPress
Improving publishing workflow – the threats and opportunities ahead
These sessions will be aimed at editorial and content strategists, SEO specialists, ad tech and integration professionals, and others working in the publishing industry.
WPPS is free and attendees can register on the event’s website. Unlike many other virtual events, the organizers do not plan to record the sessions so those who are interested will need to watch them live. Participants will have the opportunity to ask questions and have them answered by the panel. Those who are unable to attend live can sign up on the website to receive an ebook with the panelists’ recommended WordPress best practices that were shared at the event.
WordPress 6.3 will make site editing several clicks faster for users who are moving from the frontend to edit the corresponding template. When you click the “Edit Site” link in the admin bar from a category page, for example, you currently get dumped out into the Site Editor on the home page. From here it’s several clicks more to get to the template you intended to edit. The upcoming release changes it so that the “Edit Site” link is aware of the current template.
WordPress developer Brian Coords pointed out the fix on Twitter today. It’s a delightful bit of good news for anyone who works regularly with the Site Editor and becomes annoyed by how long it takes to click through to the applicable template. WordPress is now more context aware, delivering site editors to the correct template directly from the admin bar.
Excited about this feature coming in #WordPress 6.3: The "Edit Site" link will now send you to edit the actual template you're looking at instead of always going to the home page. https://t.co/ztwMrDkSZC
The update applies to posts, pages, archives, 404 templates, front page, and anywhere the user happens to be on the frontend. Check out the Gutenberg issue and the related WordPress Trac ticket for more technical details on how contributors arrived at this implementation.
This small fix is important because it removes the requirement for the user to have to know the name of the template they intend to edit. It’s now as easy as clicking directly from the frontend. The more WordPress can reduce friction and the need to have special knowledge in order to edit templates, the more accessible it becomes as a design tool for someone who is just starting out and has no framework for the idea of underlying templates.
WordPress 6.3 is on track to be released with this fix on August 8, 2023. Beta 4 landed today with 40+ (Editor) and 60+ (Trac) updates since Beta 3, and RC 1 is expected next week.
Bringing real-time collaboration or collaborative editing to WordPress will be the focus of the third phase of the Gutenberg project. It started off with the block editor in WordPress 5.0 and has by now progressed to Full-Site Editing aka the WordPress Site Editor. Adding real-time collaboration will be the second-to-last phase, while the final phase will add native multilingual capabilities.
Lead Architect Matias Ventura recently posted a preliminary outline of what is planned for Phase 3. The planned changes will not only bring new functionality to WordPress but also necessitate rebuilding (large) parts of its interface. The developers also predict that collaborative editing is going to be the most challenging to build due to the scope.
Reason enough to take a detailed look at what we can expect. In the following, we will go over what real-time collaboration is, what’s planned for this update, and the consequences for the WordPress platform. We will also go over ways you can already try out more collaborative workflows on your WordPress website right now.
What is Real-Time Collaboration?
If you have ever worked on a Google document together with other people, you already know what collaborative editing is. It is the ability for several users to edit a document at the same time, comment on make changes to other people’s work, and use shared assets together.
This allows you to work on a single document collectively instead of giving each person a separate copy and combining their individual input later. You are also able to assign different roles to users that decide whether they can only see, comment on, or edit the content.
Doing so saves time and effort, improves communication, and allows you to divide the labor. It can also result in better outcomes and makes the current work product available to every team member at the same time.
Other software solutions also offer this functionality. Examples include Canva, Sketch, and Microsoft Office 365. However, it is currently not possible in WordPress, at least not by default. While you can work on content pieces together, it’s only possible to do so one user at a time. When one person is in the editing screen for a particular page or post, anyone else who tries to access it gets locked out or needs to kick out the original editor.
“Supporting these workflows is not just about concurrency, though, but also about lifting restrictions that have been present in WordPress for a long time, such as locking a post when two people try to edit at the same time,” Ventura said in the post.
With the planned real-time collaboration, it will be possible to work on content together as a team instead — right in the WordPress interface.
Why Do We Need Collaborative Editing in WordPress?
Yet, why is it the goal to implement this? After all, you could already simply use a Google document for the collaborative part and then copy over the result.
However, copying and pasting content from Google Docs to WordPress does not always work perfectly. It can lead to errors and need reformatting before you can publish the content. In addition, any images included in the document first have to make their way over to WordPress. With a native solution, none of this would happen.
In addition, there is a bit of a lack of collaboration tools in WordPress overall. Unless you install plugins for that purpose, there is no way to leave comments or feedback for other authors and users. Therefore, you often need to rely on other, asynchronous tools, like email or Slack to coordinate.
Doing so will also often result in one person having to implement the suggestions from the rest of the team. Seeing as many websites and content strategies are run by teams, giving people tools to collaborate directly in the environment they are working in would go a long way in making the creation process more seamless.
Plus, since the WordPress block editor can do both content and design, it would also help designers and content creators work together better. While one person can take care of the written part, the other can already start prettying it up.
Finally, offering real-time collaboration is also simply a good way to improve the WordPress CMS and make it into a mroe modern piece of software.
What Exactly Are the Developers Planning?
In his post, Matias Ventura lays out the preliminary goals and ideas the developers are focusing on. Here is a breakdown of what they include.
1. Real-time Content Collaboration
Naturally, this is the centerpiece of the entire phase. The goal is to provide the necessary infrastructure and UI to allow multiple users to work together on the same content simultaneously. To create, edit, and customize web pages and posts as a team.
2. Asynchronous Collaboration Tools
However, working together on content doesn’t just mean the ability to be inside the editor at the same time. You also need tools to communicate effectively about what you are doing. Gutenberg Phase 3 also aims to provide those, including things like:
Some of this is currently already possible through plugins but the goal is to make it native.
3. Improved Publishing Workflows
Another goal is to provide better tools for creating, editing, reviewing, and publishing content within WordPress. This can include features such as:
Defining editorial requirements
Setting customized goals, e.g. a certain number of words or images
Prerequisites to complete before publishing is unlocked such as setting a featured image, etc.
Support for multiple preview contexts (e.g. members vs no members)
The plan is not to necessarily include all of this in WordPress Core. However, Phase3 will provide the infrastructure to make it possible to implement this in the editor.
4. More Powerful Post Revisions
Naturally, to accommodate the added complexity, you need a more detailed post revision system. The plan is to make it “more visual, aware of individual blocks, and explore adding the ability to schedule revisions across multiple parts of a site”.
What does that mean?
First of all, it would add the ability to revert singular blocks to earlier versions, not just entire content pieces. Secondly, you would be able to update several content pieces at the same time, for example that belong to the same campaign.
5. An Enhanced Media and Asset Library
Another piece of WordPress that the developers want to work on is the media library. They want to provide not only a place for managing visuals but also blocks, block patterns, styles, and fonts.
As part of this, it is necessary to enhance the media library’s design and functionality. Historically this is a part of WordPress that hasn’t seen a lot of work, so it would be exciting to find out how they can improve it.
6. A Global Search and Command Component
The final component that Matias is talking about in connection with real-time collaboration in WordPress is a command prompt such as Spotlight in MacOS.
It would allow users to navigate directly to content or different admin areas as well as run commands like “create a new post†or “insert patternâ€. This is also in response to the surge in AI and to introduce functionality that is prompt-based. A Github repository for this already exists.
Consequences of the Proposed Changes
From the above, it should already be obvious that this will not just be simply another feature that’s added to WordPress. These changes will make it necessary to rebuild and change parts of the WordPress user interface. As Matias says in his post:
To accomplish this, we’ll be looking beyond the editors at the rest of the admin experience.
Especially the library will likely see a lot of work. Other areas include update admin notices and UI design components as well as the admin list views used in posts, pages, categories, templates, comments, and by hundreds of plugins. Those should receive a more modern design and better support for interactivity and extensibility. You can find early concepts here.
So in short, real-time collaboration might change the very fabric of WordPress as we know it. We need to find entirely new workflows and design solutions to be able to incorporate it into the CMS.
That’s also the reason why real-time collaboration is on the roadmap before multilingual capabilities. Many of the workflows have to be already in place before we can tackle native translation options as Josepha Haden Chomphosy and Hector Prieto discuss in this podcast.
Technical Challenges for WordPress Real-Time Collaboration
Of course, to take on something of this magnitude, there are a number of technical challenges to overcome. As states in the podcast episode above, collaborative editing is going to be especially difficult because of the need for real-time communication between different user browsers. If you want to read about the kind of problems that arise from this, read this account by the people who make the CKEditor (in a word, conflicts!).
In addition, you need to take into consideration the diverse user base WordPress has and especially the different servers that they host their sites on.
For example, Google had an easier time to add collaborative editing to their tools because they are hosting them themselves and have full server control. As a consequence, they mostly had to solve for different browsers.
WordPress, on the other hand, runs on a myriad of server setups with various PHP versions and environments. Not all of them are equipped for all types of technical approaches. That’s also why no underlying technology has been chosen yet. Real-time collaboration is really in its early stages. It will take a lot more thinking and proofs of concept before a decision can be made.
Besides, the developers will continue to work on projects related to earlier phases of Gutenberg. That includes adding more blocks, improved tables, a grid layout system, and improving the block API.
How to Test Drive Collaborative Editing in WordPress Today
If you are really curious about the topic of real-time collaboration in WordPress, there are a number of working prototypes and plugins that let you try ou this functionality now:
AsBlocks — Made by Riad Benguella, who works for Automattic, it demonstrates a collaborative editing experience inside the Gutenberg editor. You can try it out online here. It won’t look exactly like this but it shows one possibility. Read the accompanying blog post for more information.
Block Collab — Another prototype by Enrique Piqeras. It seems like it’s not currently under active development but might still be usable.
Multicollab — A plugin offering features such inline commenting, pinging users, marking comments as done, and email notifications. You can find a demo here (requires signup but comes with a 14-day free trial).
One of them or part of one of them might even be the basis for the final feature. It’s not the first time that something first developed as a plugin ended up in core. The WP REST API and Gutenberg itself both started out that way.
What Are Your Thoughts?
Real-time collaboration has been on the WordPress roadmap for a long time. After finishing up the first two phases of the Gutenberg project, it is now the next step. The preliminary roadmap offers an exciting vision of the future of WordPress in which you can work on content together with all the necessary features for effective collaboration, synchronous and asynchronous.
However, making it happen will need a lot of work and planning. The feature itself will probably change the WordPress platform as we know it and also to pave the way for the fourth phase and native multilingual support.
However, if past developments are any indication, it won’t happen quickly but over time. For example, it is not part of the 6.3 release coming in August 2023. So we will see. Until then, share thoughts and give your input on the official post.
Are you excited about collaborative editing in WordPress? What’s your favorite part? What are your concerns? Share in the comments!
 Snicco, a WordPress security services provider, has published an advisory on a vulnerability in the MalCare plugin, which is active on more than 300,000 sites.
“MalCare uses broken cryptography to authenticate API requests from its remote servers to connected WordPress sites,” WordPress security researcher Calvin Alkan said.
“Requests are authentication by comparing a shared secret stored as plaintext in the WordPress database to the one provided by MalCare’s remote application.
“This can allow attackers to completely take over the site because they can impersonate MalCare’s remote application and perform any implemented action.”
These potential malicious actions include creating rogue admin users, uploading random files to the site, and installing and removing plugins.
Exploitation requires a pre-condition to be met, such as a site with a SQL injection vulnerability in a plugin, theme, or WordPress core, or a database compromised at the hosting level, or subject to another vulnerability that allows the attacker to read or update WordPress options.
“MalCare has received the full details of this vulnerability three months before this public release, and despite us offering (free) help, they subtly dismissed it because ‘supposedly’ this is the industry standard for API authentication,” Alkan said.
“Furthermore, concerns were raised, because the vulnerability requires a pre-condition that on its own, would be a vulnerability.”
Two days after Snicco published the security advisory with the proof of concept, MalCare pushed a patch in version 5.16 on July 8, 2023, along with a notice on the plugin’s blog:
In the rare situation, where a site has a pre-existing, high severity SQL injection vulnerability, an attacker might be able to read the MalCare key. To address such issues, we are further strengthening our authentication systems.
Authentication is a critical system and any improvements must be done in a careful manner. We have reviewed various plugins and best practices in our ecosystem to come up with our solution.
In light of the current public discourse, we are expediting the update of our plugin. We will initiate a rollout by EOD.
MalCare reports that its users have seen no evidence of the vulnerability being exploited.
Snicco noted that the same vulnerability also exists in WPRemote (20k installs) and Blogvault (100k installs) plugins, as they share the same code. Users of either of these plugins or the MalCare plugin should update to the latest versions as soon as possible now that the vulnerability advisory and proof of concept have been published.
