Month Notes - September 2024
Posted on by Bob Matyas
At Work
I attended WordCamp US in Portland. I have been lucky enough to attend WordCamp for the past three years and always enjoy the opportunity to connect with the larger WordPress community.
This year at Contributor Day I worked with the theme team and made a few small contributions to the TwentyTwenty Five default theme that will be shipping later this year.
Side Projects
I released a small WordPress plugin called Exif Remover that removes EXIF data from images on upload. If EXIF data isn’t removed, it can leak information about the camera used, location data, etc.
I released a new version of my Block AI Crawlers WordPress plugin. It adds blocking for a few additional AI services.
Even though I work in WordPress every day, I don’t have an active site running WordPress. To change that, I revised and an archive of flyers for punk shows in Grand Rapids. I had originally launched the archive on WordPress.com but it was just one big gallery and there was no text describing the flyers or organization. To change this, I wrote a Node script to parse through the image files, ran OCR against them, and loaded them as draft posts. This will allow the archive to be more useful. I also gave the site a modern theme that I create by modifying the default TwentyTwenty Four theme. Overall, it was a valuable learning opporutunity.
I forked an copy of an unofficial API for Backloggd and made a few modifications. I’m planning to eventually use it to track video games I am playing. It was fun way some practice using Cheerio for web scraping.
WordPress Vulnerabilty Research
I found and responsibly disclosed in the following vulnerabilities in WordPress plugins:
- WP ULike < 4.7.4 - Admin+ Stored XSS
- Backup Database <= 4.9 - Admin+ Stored XSS
- Polls CP <= 1.0.75 - Admin+ Stored XSS via Custom Styles
- GDPR Cookie Consent <= 2.6.0 - Bulk Delete via CSRF
- Page Builder: Pagelayer < 1.9.0- Admin+ Stored XSS
- Z-Downloads < 1.11.7 - Admin+ Stored XSS via SVG Upload
- AVIF & SVG Uploader <= 1.1.0 - Author+ Stored XSS via SVG Uplaod
- Event Calendar <= 1.0.4 - Admin+ Stored XSS
- Event Calendar <= 1.0.4 - Unauthenticated Arbitrary Calendar Deletion