New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Hackers exploit zero-day in Ultimate Member WordPress plugin with 200K installs
https://s-updigital.com/news/ultimate-member-wordpress-plugin-vulnerability/
Hackers are taking advantage of a zero-day privilege escalation vulnerability found in the widely used ‘Ultimate Member’ WordPress plugin, allowing them to bypass security measures and gain unauthorized access to websites. The plugin, which has over 200,000 active installations, is designed to facilitate user sign-ups and community building on WordPress sites.
Comments
WordPress never changes
Because i've worked with this plugin. I can say - code EXTREMELY BAD. Very bad. I tired to optimize their STUPID JOIN/UNION queries. And drop the plugin, because this is some kind of bullshit. Whole plugin forum full of bugreports and reports of different issues. That is another example that "number of users" means nothing related to code quality.
Not surprised at all. Piece of shit plugin.
Except, this isn't WordPress - this is a WordPress plugin.
WordPress' core is solid.
The problem is the plugin authors often do not care about security, but functionality. "If it works, that'll do, ship the code".
I meant entire WordPress ecosystem and not specific developers or users.
Every software as big and open as WP will have shitty community plugins
The only alternative is go have much higher standards for plugins and for high fees to be accepted
As in, remake the plugin marketplace to Apple App Store
But as long as we don't want that
This is how it'll always be, no matter the platform
Sure, but it does not make excuse for WordPress to my opinion. Personally, if I need blog - I will stick with Hugo due to its' simplicity.
I've always questioned the simplicity of these things
They're not simple
They're minimalistic
Could you do what most people need with them, in a simpler way than WP, the websites for small businesses would all have been built with them, but it's always WP
You mean host the blog with static posts? Yes. But normies does not like this "CLI stuff" and prefer fancy editors with a lot of unnecessary JS.
What you call "CLI stuff" you're again proving it's clearly not simple
What you call "fancy editors with a lot of unnecessary JS" is what most people call simple
Just realize you're part of a niche community, "CLI stuff" is instantly not simple for anyone outside of it
Well, you incorrectly understood term "simplicity". It is not simplicity for user actually, it is "as low features as required by software to be functional enough".
And this is what I call "bloat"
This bloat expands attack surface and increases the complexity of the entire system. This is what helps hackers to find security issues and abuse them.
I already realized it by separating from normies few messages above.
lol
writing code in binary is super simple
I have already explained you what I mean. I am not aware of more exact wording in English.
It is funny that your last argument is quibbling.
Rather than thinking about js, bloat and all, for small business, tool should make their life easy not the other way. Bye the way how do you manage search in those static site algolia?
I haven't had such task but here is example you certainly aren't aware of: https://stallman.org/site-search/index.html
Well, I haven't said that JS must be disabled by default at all. My point is that software must be minimalistic in its' design and solve only specific problem - thus not be a "swiss knife" universal tool combine.
If you need website blog - you have plenty of alternatives to WordPress.
If you need dynamic website, depending on your task you have plenty of them, including paying developer for creating own solution which does what you need exactly how you need it.
I'd never considered static site as a alternate for myself. But we do deal with search using typesense, and I'm sure its not that simple.
Agree, but even for static site search is a pain. Long back, we considered docusaurus as our documentation site, but after seeing that we should use algolia as primary search option we left it. I will say biggest issue is integrating search. Most of the hosted search solution are costly and selfhosting is a pain. I mean search solution like elastic, typesense or lucene.
Look at lunr; surprisingly simple to hook into a static site pipeline.
I agree the plugin is a mess, and I have always hated having to use it, but I have always had sites where the plugin was needed... did you (or anyone) find a good reliable substitute?
FYI, an update has been released (allegedly fixes issue). I had a site get bitten by this bug this week.
Does it mean more business and income when you get asked to patch/fix sites so this help website creators?
No because owners don’t know until they’re actually hacked and fixing hacked websites with clueless owners and zero backups isn’t a particulary fun job
I've even suggested to WP about making some kind of community membership plugin with user profiles and custom fields for profiles. I.e. for making agile and very flexible websites. No one answered.
There are a few that interested in from past:
https://crocoblock.com/plugins/jetengine/membership/
and
userswp
But i forced to stay on default WP user system, with custom login table and restricted access to some specific content. It's simplier and gives ability to use hooks & filters without any risks for upgrades at all.
ACF/meta does not fit my needs aswell...
The ability to build own page - require a lot of efforts too.
I will try this month or later to purchase new license for crocoblocks, because it's looking exactly what is required.
But that means extra money right if building their website from scratch with no backups, can really milk the owners and gives opportunity to up sell them stuff like backups, HA, maintenance packages.
You guys should be rejoicing
Booooooring