The United States government’s National Vulnerability Database published a notification of a vulnerability discovered in the official WordPress Gutenberg plugin. But according to the person who found it, WordPress is said to have not acknowledged it’s a vulnerability.
Stored Cross-Site Scripting (XSS) Vulnerability
XSS is a type of vulnerability that happens when someone can upload something like a script that wouldn’t ordinarily be allowed through a form or other method.
Most forms and other website inputs will validate that what’s being updated is expected and will filter out dangerous files.
An example is a form for uploading an image that fails to block an attacker from uploading a malicious script.
According to the non-profit Open Web Application Security Project, an organization focused on helping improve software security, this is what can happen with a successful XSS attack:
“An attacker can use XSS to send a malicious script to an unsuspecting user.
The end user’s browser has no way to know that the script should not be trusted, and will execute the script.
Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.
These scripts can even rewrite the content of the HTML page.”
Common Vulnerabilities & Exposures – CVE
An organization named CVE serves as a way for documenting vulnerabilities and publicizing the discoveries to the public.
The organization, which the U.S. Department of Homeland Security supports, examines discoveries of vulnerabilities and, if accepted, will assign the vulnerability a CVE number that serves as the identification number of that specific vulnerability.
Discovery Of Vulnerability In Gutenberg
Security research discovered what was believed to be a vulnerability. The discovery was submitted to the CVE, and the discovery was approved and assigned a CVE ID number, making the discovery an official vulnerability.
The XSS vulnerability was given the ID number CVE-2022-33994.
The vulnerability report that was published on the CVE site contains this description:
“The Gutenberg plugin through 13.7.3 for WordPress allows stored XSS by the Contributor role via an SVG document to the “Insert from URL” feature.
NOTE: the XSS payload does not execute in the context of the WordPress instance’s domain; however, analogous attempts by low-privileged users to reference SVG documents are blocked by some similar products, and this behavioral difference might have security relevance to some WordPress site administrators.”
That means that someone with Contributor level privileges can cause a malicious file to be inserted into the website.
The way to do it is by inserting the image through a URL.
In Gutenberg, there are three ways to upload an image.
- Upload it
- Choose an existing image from the WordPress Media Libary
- Insert the image from a URL
That last method is where the vulnerability comes from because, according to the security researcher, one can upload an image with any extension file name to WordPress via a URL, which the upload feature does not allow.
Is It Really A Vulnerability?
The researcher reported the vulnerability to WordPress. But according to the person who discovered it, WordPress didn’t acknowledge it as a vulnerability.
This is what the researcher wrote:
“I found a Stored Cross Site Scripting vulnerability in WordPress that got rejected and got labeled as Informative by the WordPress Team.
Today is the 45th day since I reported the vulnerability and yet the vulnerability is not patched as of writing this…”
So it seems that there is a question as to whether WordPress is right and the U.S. Government-supported CVE foundation is wrong (or vice-versa) about whether this is an XSS vulnerability.
The researcher insists that this is a real vulnerability and offers the CVE acceptance to validate that claim.
Furthermore, the researcher implies or suggests that the situation where the WordPress Gutenberg plugin allows uploading images via a URL might not be a good practice, noting that other companies do not allow that kind of uploading.
“If this is so, then tell me why… …companies like Google and Slack went to the extent of validating files that are loaded over an URL and rejecting the files if they’re found to be SVG!
…Google and Slack… don’t allow SVG files to load over an URL, which WordPress does!”
What To Do?
WordPress hasn’t issued a fix for the vulnerability because they appear not to believe it is a vulnerability or one that presents a problem.
The official vulnerability report states that Gutenberg versions up to 13.7.3 contain the vulnerability.
But 13.7.3 is the most current version.
According to the official WordPress Gutenberg changelog that records all past changes and also publishes a description of future changes, there have been no fixes for this (alleged) vulnerability, and there are none planned.
So the question is whether or not there is something to fix.
U.S Government Vulnerability Database Report on the Vulnerability
Report Published on Official CVE Site
Read the Findings of the Researcher
Featured image by Shutterstock/Kues
Link relevancy trumps volume for SEO
- Earned media coverage is more valuable than ever for your website
- Digital PR is just as important as technical SEO
- A large volume of links is the goal, what’s stopping someone from picking the most newsworthy idea, even if it has nothing to do with your client?
In 2022, it’s impossible to deny the benefit that digital PR as a tactic has on an organic growth strategy. Earned media coverage is more valuable than ever for your website. You could be doing everything right for SEO, but if you’re not building links, you’re still missing out on the increased search visibility, organic traffic, and brand awareness that backlinks bring to your business.
I love some of the things I see from digital pr, it’s a shame it often gets bucketed with the spammy kind of link building. It’s just as critical as tech SEO, probably more so in many cases.
— 🥔 johnmu (personal) updated for 2022 🥔 (@JohnMu) January 23, 2021
As digital PR is still a relatively “young industry” that’s only just sprouted up in the past 10 years, many PR pros have relied on “viral” campaigns to boost the backlink portfolio of their clients. These viral campaigns are often celebrated but are often created with little regard to how relevant, or “on-brand” those ideas really are.
After all, if a large volume of links is the goal, what’s stopping someone from picking the most newsworthy idea, even if it has nothing to do with your client?
In 2022, link volume is no longer the goal (or shouldn’t be)
While many PR pros’ were evaluating their success around this one key metric (link volume) others in the industry have suspected for a while now that the relevance of linking coverage is a key factor Google looks at when assigning “value” to links.
Once again, John Mueller has settled the debate about link volume vs link relevance, coming out in 2021 and saying that ‘the total number of links’ doesn’t matter at all.
Keep counting your links, if that makes you happy! It’s good to have some source of pleasure nowadays. (It won’t make the ranking algorithms happy though.)
— 🥔 johnmu (personal) updated for 2022 🥔 (@JohnMu) February 21, 2021
This clarity has helped refocus the digital PR industry and forced PR pros to re-evaluate what metrics and KPIs we need to be focusing on to drive true organic growth.
It’s no longer enough to be ‘popular’ you also need to be relevant. Not just in terms of the publications you are targeting, but the keywords you want to rank for, audience interest, and most importantly, brand alignment to the story you are pitching in.
Google is continuously looking to become more intelligent through its use of machine learning and artificial intelligence. It wants to understand web content as a human, and therefore through its use of natural language understanding, it is likely to not just be looking at the anchor text of links in third-party articles, but it is also wanting to understand the wider context of the article that a brand is placed in.
How to ensure your link-building activity is relevant to your brand
The first steps to coming up with relevant content ideas for your digital PR campaign are to:
- understand your client, and
- understand your client’s audience and their needs.
Every good idea will flow from these two pillars.
If Google’s main objective is to show the best content to users through search, then your job is to create content that either supports your client’s product or service or supports their customers.
It is more important than ever to not only create relevant and on-brand content in the written form but also ensure that any supporting assets created (video, images, audio) are also relevant to the target keywords and services or products that the brand sells.
In addition, it’s important to create content that engages people, to drive further buzz and positive sentiment around the brand, all of which contribute to greater brand awareness and affinity among your potential customers.
How to measure the relevancy of your backlink profile
We now have the technology available to us to be able to understand and assign quantifiable metrics to the relevance of linking coverage (or indeed the relevance of any text-based content) – which allows us to be much more data-driven and targeted when developing digital PR, link creation activity and competitor and marketplace analysis.
For example, natural language understanding tools like Salient, measure the relevancy of both off-page and on-page content. Tools like this help to understand how a search engine is viewing a brand’s content, it not only enables us to identify the gaps in our client’s backlink profile.
At Journey Further, we use this proprietary tool to measure the relevancy of both off-page and on-page content for our clients.
We can use this tool to understand how a search engine is viewing a brand’s content, it not only enables us to identify the gaps in our client’s backlink profile but also aids us in optimizing its content on-site. The outcome of which – is a much more focused, effective, and measurable digital PR activity that is better aligned to SEO objectives and that delivers better ROI for clients.
Looking ahead to 2023
Looking ahead to 2023 and beyond, it’s likely that Google will only continue to develop better technology to understand web content.
All digital PR campaigns should reflect this, and where possible, be multi-faceted, not just relying on a single press release to get cut through. We need to be thinking as marketers, not just SEO practitioners, and ensure we are driving as much ROI as possible. Taking a brand plus performance approach to SEO and digital PR will therefore be key.
Beth Nunnington is the VP of Digital PR and Content Marketing at Journey Further, leading Digital PR strategy for the world’s leading brands. Her work has been featured in The Drum, PR Moment, and Prolific North. Find Beth on Twitter @BethNunnington.
Link relevancy trumps volume for SEO
Google Testing Expandable Maps In Search & Tabs In Map Results
7 Critical Factors You Must Consider When Choosing RPA Tools
Meta Launches New Reels Features, Including Stories to Reels Conversion and Improved Analytics
7 Critical Factors You Must Consider When Choosing RPA Tools
20 Best Tools To Help You Scale
Decoded Headless CMS & SEO
Twitter Outlines New Ad Improvements in Line with Evolving Data Privacy Approaches
Google Popular Destinations Overlays Google Travel Details
Snap Launches New Bitmoji Fashion Collection from Carhartt, as it Continues to Build its Personalization Tools
Being In Close Contact With Google Doesn’t Benefit You
15 Excel Formulas, Keyboard Shortcuts & Tricks That’ll Save You Lots of Time
Top 7 Ecommerce Podcasts You Should Listen to in 2022
Main Advantages Of LED Lights You Should Definitely Know About
Google Testing More List View Top Stories With News Taking Over Web Results
The Ultimate Guide to Google Ads [Examples]
How Do Enterprise & SaaS Marketing Software Solutions Differ?
Marketers’ secrets to overcoming challenges
10 DuckDuckGo Facts For Digital Marketers & SEO Pros
Spreadsheets remain critical for marketers