Whenever a new vulnerability is announced, the clock starts. The time it takes to patch can mean the difference between your site getting compromised or not.

Tracking this as a "time to patch" metric can help you quantify if you need more help with your security program - or are attending to serious issues faster than the attackers can target your sites.

What does it mean when a plugin on your site has a vulnerability with a "Medium" CVSS score?

Today's episode will be all about severity scores associated with security bugs and how they are calculated using the CVSS - or Common Vulnerability Scoring System.

I will also share two plugins that patched security bugs you should know about in the weekly vulnerability roundup.

A mature security patching practice means patching even the low-risk bugs. 

In this week's episode, I will talk about all the elements that turn security from a process into a practice.

I will also discuss one insecure plugin in this week's vulnerability news. Unfortunately, the plugin did not receive a security patch for a severe security bug, so you may wish to be on the lookout if it is installed on your websites or customer websites.

It is August, and the Patchstack Alliance is growing. New security researchers have joined the alliance in the last month, and we are receiving some great reports of serious security bugs in open source components affecting millions of websites.

This week there was a security bug that was not found by Patchstack Alliance. This new security bug is in the WordPress Gutenberg editor.

In this week's knowledge share I will share important details that will help you understand the low risk this now public vulnerability poses, and emphasize that the existence of a CVE is in itself not a sign of high risk - because severity matters too.

In this week's knowledge share, I will talk about nulled plugins and themes - how they are a hidden security risk, how they harm trust in open source, and what you can do to make things right.

I will then cover this week's vulnerability news, which highlights two security bugs in abandoned plugins and one authenticated remote code execution bug that was recently patched.

This week I will finally get to talk about SSRF! SSRF stands for Server Side Request Forgery. This is a category of application vulnerability that is sometimes overlooked but could allow attackers to bypass security measures and turn a web application into a sort of limited VPN to pivot to systems normally protected by the network topology. 

Don't worry if this doesn't make sense right now, I'll explain it in a bit.

This week's weekly knowledge share is a response to the all too common headlines about "Millions of WordPress websites are under attack" we see every so often.

I will share why attempted attacks are just the background radiation of the internet and not something to get into a panic over.

Welcome back to the Patchstack Weekly Security Update!

This week I will talk about the importance of removing unused code and components from your websites.

Simply disabling a theme or plugin is not enough - reviewing and deleting these things has to become a habit.

I will also cover a few vulnerability highlights, including 10 abandoned components that have known unpatched vulnerabilities in them.

CSV injection occurs when websites generate CSV files and include untrusted user input within them. I'll explain why this is dangerous, and how you can protect your site against it.

This week's vulnerability news will be brief - I will highlight 3 plugins with WordPress Options Update vulnerabilities (2 of which require no authentication). Each of these plugin's authors have released a patch.

I will also highlight a plugin affected by a CSV Injection vulnerability that, unfortunately, has not yet been patched (but of course, Patchstack Pro and Business users are protected by a virtual patch).

Rotem Bar works at Cider Security as Head of Marketplace Integrations and has been working in the security field for 20 years.

Back in February he found an Unauthenticated DOM-based Reflected Cross-Site Scripting vulnerability in Elementor and reported it through the Patchstack Alliance.

If the bug's name sounds confusing, convoluted, and complicated, don't worry - Rotem explains what it means and where the threat is exactly.