Month Notes - October 2024
Posted on by Bob Matyas
At Work
Work has been very busy, not a lot to report. I did manage to get my dev environment configured and made a small PR to Jetpack Boost.
Side Projects
- I configured all of my WordPress plugins to deploy via GitHub. I’m much more familiar with Git, so it is a lot easier for me to release updates.
- I migrated this site from GatsbyJS to Astro. Astro is a lot simpler to use and I haven’t spent any time chasing down broken builds. It’s nice to see the production site using minimal JavaScript. I’ll probably blog about it in more detail at some point in the future.
- I experimented with using ChatGPT to generate some quick Node plugins to scrape data from external sources. I don’t do much scraping, so it has been nice to get a quick headstart.
WordPress Vulnerabilty Research
I found and responsibly disclosed in the following vulnerabilities in WordPress plugins:
- Media Library Tools < 1.5.0 - Author+ Stored XSS via SVG
- Alphabetical List <= 1.0.3 - Settings Update via CSRF
- RSS Feed Widget < 3.0.1 - Reflected XSS
- RSS Feed Widget < 3.0.0 - Contributor+ Stored XSS
- Registrations for The Events Calendar < 2.12.4 - Unauthenticated Stored XSS
- Post From Frontend <= 1.0.0 - Post Deletion via CSRF
- AVIF & SVG Uploader <= 1.1.0 - Author+ Stored XSS via SVG Uplaod
- Page Builder: Pagelayer < 1.9.0 - Admin+ Stored XSS
I found several more, but the disclosure is always somewhat delayed.