Issue #66
grey 2
yellow 1@2x
orange 2@2x

This week in WordPress

Elementor patches XSS vulnerabilities

Elementor is making headlines again this week after security company Wordfence revealed it disclosed a set of stored cross-site scripting vulnerabilities to the website builder platform's developers in February. The security flaws were partially patched at the time, with new fixes released this month. Elementor users are being urged to update to at least version 3.1.4 as soon as possible.

The popular plugin is used on more than 7 million sites, according to Elementor. And as Sarah Gooding explains in Elementor Patches XSS Vulnerabilities Affecting 7 Million WordPress Sites, less than half of all Elementor installs were running on version 3.1.x at the time she published her article on March 18, leaving millions of sites still vulnerable.

Threat Analyst Ram Gall, who discovered the vulnerabilities, summarizes his findings in Cross-Site Scripting Vulnerabilities in Elementor Impact Over 7 Million Sites, and offers a detailed walkthrough of how an attacker might compromise sites using Elementor.

Meanwhile, Sarah also reports Attackers Continue to Exploit Vulnerabilities in The Plus Addons for Elementor Plugin. Tara Seals at Threatreport says the security hole in the commercial version of The Plus Addons for Elementor plugin was used in active zero-day attacks for as long as five days before a patch became available.

"So the server hosting my website got infected a by a malware! so it is not going live today 🙁 How ironic is this! I patch customer servers on priority for Zero Day vulnerability and now I had to do it for myself! #Irony #cybersecurity #Malware #security" tweets AuthorVivekSea. He links to Roger Montti's article The Plus Addons for Elementor Critical Vulnerability at Search Engine Journal.

In other security news, Wordfence Threat Analyst Chloe Chamberland is urging Tutor LMS users to update to the latest version after several severe vulnerabilities were recently patched in the course creation plugin. The plugin has 20,000 active installs.

Second annual Atarim summit for businesses on soon

The 2nd annual Atarim Web Agency Summit will kick off on March 23, writes Justin Tadlock for WPTavern. The free four-day business-oriented event will feature 36 sessions focusing on building, expanding, scaling, and thriving online. This year's sessions will be live (last year's were pre-recorded) allowing attendees to get involved in real-time. There'll also be Q&A time for each session.

"I asked @VitoPeleg how much coffee would be consumed by his team for the @atarim_io Web Agency Summit. Not sure where he came up with the number. See what he said…" tweets Copyflight Story Teller Todd Jones, who links to Q&A: Vito Peleg talks Web Agency Summit 2021 and new name. ICYMI, WP Feedback rebranded as Atarim in February.

Yoast SEO celebrates 16.0 release

Yoast reached a milestone this week, releasing the sixteenth version of its popular Yoast SEO plugin. Founder and CPO Joost de Valk reflects on the past 10 years in Yoast SEO 1.0 to 16.0: An interview with Joost de Valk. He recounts starting Yoast in his attic, how he coded the first version, and why testing is a priority now because, "We're putting out code to 12 million websites, so it's a large responsibility that we take very seriously."

Meanwhile, WordPress Core Committer Sergey Biryukov, who works for Yoast, answers some common questions from new core contributors in his helpful guide A week with us: how to start contributing to Core and a team update.

Expand 2021

Most web designers and developers agree time is precious and seek ways to expand the hours they have free on any given day. It's why GoDaddy Pro created the free Expand conference.

Expand 2021 virtually brings together the WD&D community to share their knowledge, make connections and find new ways to succeed in their endeavors. Speakers include freelancers, consultants and agencies who will offer their advice on topics like building websites and managing clients.
Event Thumbnail_Expand 2021 with graphic
They'll cover timely, relevant issues like ecommerce, securing clients' websites, and generating new leads. The content is appropriate for anyone in the industry, from those just getting started to established professionals. You'll walk away with valuable insights and new connections that will help you thrive. RSVP for free.
yellow 2@2x

In other WordPress news...

  • Gutenberg 10.2 was released this week. It adds spacers to navigation lists, lets users categorize template parts, and introduces scoped patterns, says Justin Tadlock at WPTavern. He's shared his typical deep dive into the new features.
  • "There's a new creative challenge open with the WordPress Test group. I did it as a fun palate cleanser between big tasks. It's open until 23 Mar, 2021 if you want to give it a whirl!" tweets WordPress Executive Director Josepha Haden Chomphosy, linking to Anne McCarthy's post at WordPress.org, FSE Program Testing Call #3: Create a fun & custom 404 page. Anne, the program manager for the Full Site Editing (FSE) outreach experiment, sets out a simple testing flow, which Sarah Gooding walks through in New Full Site Editing Testing Challenge.
  • GoDaddy Pro is proud to announce Expand 2021, a virtual event bringing together the WD&D community to share their knowledge, make connections and find new success. Speakers include freelancers, consultants and agencies weighing in on topics like building websites and managing clients. RSVP for free. Sponsored link
  • Work on the Twenty Twenty-Two Default WordPress Theme Should Already Be Underway, writes Justin Tadlock. He argues core contributors should be given months, not weeks, to create the default themes that are the "face" of WordPress. Pro Theme Design's Ben Gillbanks agrees, commenting, "I've been saying this for years and totally agree. Theme development should start at the start of the year, and it should be more open." "I fully agree and I only assume this is delayed by not having a decision about the FSE inclusion date," adds Yoast WordPress contributor Carolina Nymark.
  • Voting for Torque's 2021 Plugin Madness is now open. The bracket-style competition, now in its sixth year, pits the best plugins from across WordPress against each other. Last year's winner was Elementor. "I do like this time of year with @TheTorqueMag's Plugin Madness. Great validation for the plugins we use and highlighting some new ones I have never heard about. To the death!" tweets digital marketer Mike Watson. And if you haven't seen it yet, check out Doc Pop's promo video for Plugin Madness 2021. "@DocPop the way your brain works is something special. Creative is an understatement," tweets Infinite Uploads Co-Founder Josh Dailey.
  • Michelle Frechette and Allie Nimmons talk about WordPress influencer lists, making room at the table, and tokenization in their first vlog for Underrepresented in Tech. Underrepresented in Tech is a database that helps people in underrepresented groups find work in tech, and helps companies connect with a diverse range of talent.
orange 2@2x

Not subscribed? Join the most conversational weekly email
in the WordPress community!