Redux, a popular WordPress plugin with more than 1 million active installations recently patched a vulnerability. The vulnerability allowed an attacker to bypass security measures in a Cross-Site Request Forgery (CSRF) attack.
Cross-Site Request Forgery
A Cross-Site Request Forgery (CSRF) attack is a method where an attacker exploits a vulnerability in the code that allows them to perform actions on a website. This kind of attack exploits the credentials of an authenticated user.
The U.S. Department of Commerce defines CSRF like this:
“A type of Web exploit where an unauthorized party causes commands to be transmitted by a trusted user of a Web site without that user’s knowledge.”
This particular attack bypassed security checks by exploiting a coding bug that caused a site to improperly validate security tokens called nonces. Nonces are supposed to protect forms and URLs from attacks.
The WordPress developer page describes nonces:
“WordPress nonces are one-time use security tokens generated by WordPress to help protect URLs and forms from misuse.
If your theme allows users to submit data; be it in the Admin or the front-end; nonces can be used to verify a user intends to perform an action, and is instrumental in protecting against Cross-Site Request Forgery(CSRF).
The one-time use hash generated by a nonce, prevents this type of forged attacks from being successful by validating the upload request is done by the current logged in user. Nonces are unique only to the current user’s session, so if an attempt is made to log in or out any nonces on the page become invalid.”
The flaw was in how the nonces were validated. This vulnerability was originally fixed in October 2020 but was reintroduced in a later update.
According to the WPScan security plugin site:
“The plugin did not properly validate some nonces, only checking them if their value was set. As a result, CSRF attacks could still be performed by not submitting the nonce in the request, bypassing the protection they are supposed to provide.”
WPScan and the WordPress Redux plugin both reported that the CSRF vulnerability has been fixed.
“The plugin re-introduced a CSRF bypass issue in v4.1.22, as the nonce is only checked if present in the request.”
The Redux Plugin changelog states:
“Fixed: CSRF security issue with a flipped if conditional.”
Update Redux Gutenberg Blocks Library & Framework
Redux is a plugin that allows publishers to browse and choose from thousands of Gutenberg blocks and templates. Blocks are sections of a web page and templates are entire web page designs.
With over a million active users, Redux plugin is one of the most used WordPress plugins.
It is highly recommended that publishers using the Redux WordPress plugin immediately update to the latest version, 4.1.24.
Google December Product Reviews Update Affects More Than English Language Sites? via @sejournal, @martinibuster
Google’s Product Reviews update was announced to be rolling out to the English language. No mention was made as to if or when it would roll out to other languages. Mueller answered a question as to whether it is rolling out to other languages.
Google December 2021 Product Reviews Update
On December 1, 2021, Google announced on Twitter that a Product Review update would be rolling out that would focus on English language web pages.
Our December 2021 product reviews update is now rolling out for English-language pages. It will take about three weeks to complete. We have also extended our advice for product review creators: https://t.co/N4rjJWoaqE
— Google Search Central (@googlesearchc) December 1, 2021
The focus of the update was for improving the quality of reviews shown in Google search, specifically targeting review sites.
A Googler tweeted a description of the kinds of sites that would be targeted for demotion in the search rankings:
“Mainly relevant to sites that post articles reviewing products.
Think of sites like “best TVs under $200″.com.
Goal is to improve the quality and usefulness of reviews we show users.”
Continue Reading Below
Google also published a blog post with more guidance on the product review update that introduced two new best practices that Google’s algorithm would be looking for.
The first best practice was a requirement of evidence that a product was actually handled and reviewed.
The second best practice was to provide links to more than one place that a user could purchase the product.
The Twitter announcement stated that it was rolling out to English language websites. The blog post did not mention what languages it was rolling out to nor did the blog post specify that the product review update was limited to the English language.
Google’s Mueller Thinking About Product Reviews Update
Product Review Update Targets More Languages?
The person asking the question was rightly under the impression that the product review update only affected English language search results.
Continue Reading Below
But he asserted that he was seeing search volatility in the German language that appears to be related to Google’s December 2021 Product Review Update.
This is his question:
“I was seeing some movements in German search as well.
So I was wondering if there could also be an effect on websites in other languages by this product reviews update… because we had lots of movement and volatility in the last weeks.
…My question is, is it possible that the product reviews update affects other sites as well?”
John Mueller answered:
“I don’t know… like other languages?
My assumption was this was global and and across all languages.
But I don’t know what we announced in the blog post specifically.
But usually we try to push the engineering team to make a decision on that so that we can document it properly in the blog post.
I don’t know if that happened with the product reviews update. I don’t recall the complete blog post.
But it’s… from my point of view it seems like something that we could be doing in multiple languages and wouldn’t be tied to English.
And even if it were English initially, it feels like something that is relevant across the board, and we should try to find ways to roll that out to other languages over time as well.
So I’m not particularly surprised that you see changes in Germany.
But I also don’t know what we actually announced with regards to the locations and languages that are involved.”
Does Product Reviews Update Affect More Languages?
While the tweeted announcement specified that the product reviews update was limited to the English language the official blog post did not mention any such limitations.
Google’s John Mueller offered his opinion that the product reviews update is something that Google could do in multiple languages.
One must wonder if the tweet was meant to communicate that the update was rolling out first in English and subsequently to other languages.
It’s unclear if the product reviews update was rolled out globally to more languages. Hopefully Google will clarify this soon.
Google Blog Post About Product Reviews Update
Google’s New Product Reviews Guidelines
John Mueller Discusses If Product Reviews Update Is Global
Watch Mueller answer the question at the 14:00 Minute Mark
Google Shopping Ads Testing Including Material In Ad Title From Query
Elon Musk’s Team Asks for More Data to Complete Assessment of Twitter Bots
Play Roller Champions For Free Now on Xbox
Googlebot Crawls & Indexes First 15 MB HTML Content
4 Online Video Editing Apps to Make Better Social Media Content [Infographic]
Daily Search Forum Recap: June 24, 2022
Old Navy to drop NFTs in July 4th promo update
5 Amazing Landing Page Examples To Inspire Your Own
Meta’s Developing New Spatial Audio Tools for AR and VR to Enhance Virtual Experiences
How the Brand-new Newfound Courage Remake Uses Combat to Tell a Story
Why Google Doesn’t Like Some SEO Metrics
Google Bar & Pool Table Room
6 Tactics to Boost Ecommerce Sales [Without Discounting]
12 Actions That Help Improve Your Google Keyword Rankings
How To Build A Remote Team For SEO: Planning & Structure
9 Creative Company Profile Examples to Inspire You [Templates]
How Software Systems Enhance the Performance of Gym Business?
6 New SEO Tools That Predict Google Algorithm Update Impacts
How to Calculate Your Lead Generation Goals [Free Calculator]
Strategizing Your Instagram Marketing – DigitalMarketer
SEARCHENGINES7 days ago
Google Single URL Inspection Tool Dog
SEARCHENGINES7 days ago
Google Says Don’t Publish Empty Or Blank Pages
SEARCHENGINES4 days ago
Good Web Sites Are Good For SEO, Says Google
SEARCHENGINES4 days ago
Alcides Aguasvivas On Proper Infrastructure For Sites To Perform Well In Search