mather-sophi / sophi-for-wordpress Goto Github PK

CVE-2021-23368 - Medium Severity Vulnerability

Vulnerable Libraries - postcss-7.0.35.tgz, postcss-8.2.8.tgz

postcss-7.0.35.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz

Path to dependency file: sophi-for-wordpress/package.json

Path to vulnerable library: sophi-for-wordpress/node_modules/postcss-selector-matches/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-colormin/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-env-function/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-custom-properties/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-discard-empty/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-discard-overridden/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-preset-env/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-lab-function/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-color-hex-alpha/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-minify-font-values/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-normalize-url/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-page-break/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-media-minmax/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-place/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/cssnano-preset-default/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/cssnano-util-raw-cache/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-color-gray/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/css-has-pseudo/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-logical/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/autoprefixer/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-reduce-initial/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-reduce-transforms/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-ordered-values/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-normalize-string/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-double-position-gradients/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-minify-params/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/stylelint-declaration-use-variable/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-normalize-repeat-style/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-discard-duplicates/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/css-blank-pseudo/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-svgo/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/stylelint/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-gap-properties/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-merge-rules/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-color-rebeccapurple/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-convert-values/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-normalize-timing-functions/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-merge-longhand/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-replace-overflow-wrap/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-safe-parser/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/css-prefers-color-scheme/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-minify-selectors/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-dir-pseudo-class/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-font-variant/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-calc/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-normalize-charset/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-editor-styles/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-normalize-display-values/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/sugarss/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-attribute-case-insensitive/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-less/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-nesting/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-custom-selectors/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-minify-gradients/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-sass/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-overflow-shorthand/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-unique-selectors/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-discard-comments/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-image-set-function/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-scss/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-normalize-whitespace/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-reporter/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/cssnano/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/stylehacks/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/@10up/stylelint-config/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-sorting/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-selector-not/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-pseudo-class-any-link/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-focus-within/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-normalize-unicode/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/css-declaration-sorter/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-color-mod-function/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-custom-media/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-normalize-positions/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-color-functional-notation/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-initial/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/stylelint-order/node_modules/postcss/package.json,sophi-for-wordpress/node_modules/postcss-focus-visible/node_modules/postcss/package.json

Dependency Hierarchy:

• scripts-1.3.1.tgz (Root Library)
  • cssnano-4.1.10.tgz
    • cssnano-preset-default-4.0.7.tgz
      • cssnano-util-raw-cache-4.0.1.tgz
        • ❌ postcss-7.0.35.tgz (Vulnerable Library)

postcss-8.2.8.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-8.2.8.tgz

Path to dependency file: sophi-for-wordpress/package.json

Path to vulnerable library: sophi-for-wordpress/node_modules/postcss/package.json

Dependency Hierarchy:

• scripts-1.3.1.tgz (Root Library)
  • ❌ postcss-8.2.8.tgz (Vulnerable Library)

Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41

Found in base branch: develop

Vulnerability Details

The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Publish Date: 2021-04-12

URL: CVE-2021-23368

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368

Release Date: 2021-04-12

Fix Resolution: postcss -8.2.10

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28502 - High Severity Vulnerability

Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz

XMLHttpRequest for Node

Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz

Path to dependency file: sophi-for-wordpress/package.json

Path to vulnerable library: sophi-for-wordpress/node_modules/xmlhttprequest-ssl/package.json

Dependency Hierarchy:

• scripts-1.3.1.tgz (Root Library)
  • browser-sync-2.26.14.tgz
    • browser-sync-ui-2.26.14.tgz
      • socket.io-client-2.4.0.tgz
        • engine.io-client-3.5.1.tgz
          • ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)

Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41

Found in base branch: develop

Vulnerability Details

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Publish Date: 2021-03-05

URL: CVE-2020-28502

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h4j5-c7cj-74xg

Release Date: 2021-03-05

Fix Resolution: xmlhttprequest - 1.7.0,xmlhttprequest-ssl - 1.6.2

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7608 - Medium Severity Vulnerability

Vulnerable Library - yargs-parser-10.1.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-10.1.0.tgz

Path to dependency file: sophi-for-wordpress/package.json

Path to vulnerable library: sophi-for-wordpress/node_modules/yargs-parser/package.json

Dependency Hierarchy:

• scripts-1.3.1.tgz (Root Library)
  • stylelint-config-1.0.11.tgz
    • stylelint-9.10.1.tgz
      • meow-5.0.0.tgz
        • ❌ yargs-parser-10.1.0.tgz (Vulnerable Library)

Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41

Found in base branch: develop

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: yargs/yargs-parser@63810ca

Release Date: 2020-06-05

Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1

Step up your Open Source Security Game with WhiteSource here

CVE-2021-33587 - High Severity Vulnerability

Vulnerable Library - css-what-3.4.2.tgz

a CSS selector parser

Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/svgo/node_modules/css-what/package.json

Dependency Hierarchy:

• 10up-toolkit-2.1.1.tgz (Root Library)
  • imagemin-webpack-plugin-2.4.2.tgz
    • imagemin-svgo-7.1.0.tgz
      • svgo-1.3.2.tgz
        • css-select-2.1.0.tgz
          • ❌ css-what-3.4.2.tgz (Vulnerable Library)

Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41

Found in base branch: develop

Vulnerability Details

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

Publish Date: 2021-05-28

URL: CVE-2021-33587

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587

Release Date: 2021-05-28

Fix Resolution: css-what - 5.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2021-31597 - High Severity Vulnerability

Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz

XMLHttpRequest for Node

Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz

Path to dependency file: sophi-for-wordpress/package.json

Path to vulnerable library: sophi-for-wordpress/node_modules/xmlhttprequest-ssl/package.json

Dependency Hierarchy:

• scripts-1.3.1.tgz (Root Library)
  • browser-sync-2.26.14.tgz
    • browser-sync-ui-2.26.14.tgz
      • socket.io-client-2.4.0.tgz
        • engine.io-client-3.5.1.tgz
          • ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)

Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41

Found in base branch: develop

Vulnerability Details

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

Publish Date: 2021-04-23

URL: CVE-2021-31597

CVSS 3 Score Details (9.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597

Release Date: 2021-04-23

Fix Resolution: xmlhttprequest-ssl - 1.6.1

Step up your Open Source Security Game with WhiteSource here

Is your enhancement related to a problem? Please describe.
In a recent progress review on a Sophi integration, @barryceelen noted:

use page slug, for data sent to sophi

We should investigate when sending widget/block data to Sophi if it would be easier to send the page slug and where feasible make that update.

Describe the solution you'd like

Designs

Describe alternatives you've considered

Additional context

This issue is for tracking changes for the 1.0.4 release. Target release date: 15 July 2021.

Release steps

• Branch: Starting from develop, cut a release branch named release/1.0.4 for your changes.
• Version bump: Bump the version number in sophi.php, package.json, and readme.txt if it does not already reflect the version being released. Update both the plugin "Version:" property and the plugin SOPHI_WP_VERSION constant in sophi.php.
• Changelog: Add/update the changelog in CHANGELOG.md and readme.txt.
• Props: Update CREDITS.md with any new contributors, confirm maintainers are accurate.
• Readme updates: Make any other readme changes as necessary. README.md is geared toward GitHub and readme.txt contains WordPress.org-specific content. The two are slightly different.
• New files: Check to be sure any new files/paths that are unnecessary in the production version are included in .distignore.
• Merge: Make a non-fast-forward merge from your release branch to develop (or merge the Pull Request), then do the same for develop into trunk (git checkout trunk && git merge --no-ff develop). trunk contains the stable development version.
• Test: While still on the trunk branch, test for functionality locally.
• Push: Push your trunk branch to GitHub (e.g. git push origin trunk).
• Release: Create a new release, naming the tag and the release with the new version number, and targeting the trunk branch. Paste the changelog from CHANGELOG.md into the body of the release and include a link to the closed issues on the milestone. The release should now appear under releases.
• SVN: Wait for the GitHub Action to finish deploying to the WordPress.org repository. If all goes well, users with SVN commit access for that plugin will receive an emailed diff of changes.
• Check WordPress.org: Ensure that the changes are live on https://wordpress.org/plugins/sophi/. This may take a few minutes.
• Close milestone: Edit the milestone with release date (in the Due date (optional) field) and link to GitHub release (in the Description field), then close the milestone.
• Punt incomplete items: If any open issues or PRs which were milestoned for 1.0.4 do not make it into the release, update their milestone to 1.1.0 or Future Release.
• Version bump (again): In the develop branch (cd ../ && git checkout develop) bump the version number in sophi.php to 1.0.5-dev. It's okay if the next release might be a different version number; that change can be handled right before release in the first step, as might also be the case with @since annotations.

Is your enhancement related to a problem? Please describe.
Add our base unit testing and linting actions so that we can use those for checks on PRs.

Describe the solution you'd like

Designs

Describe alternatives you've considered

Additional context

Is your enhancement related to a problem? Please describe.
WordPress 5.8 will introduce the Query block, the plugin should consider if/how it should integrate with that block as a likely case to allow for setting Sophi as a datasource.

Describe the solution you'd like

Designs
TBD

Describe alternatives you've considered

Additional context

CVE-2021-29059 - High Severity Vulnerability

Vulnerable Library - is-svg-4.3.1.tgz

Check if a string or buffer is SVG

Library home page: https://registry.npmjs.org/is-svg/-/is-svg-4.3.1.tgz

Path to dependency file: sophi-for-wordpress/package.json

Path to vulnerable library: sophi-for-wordpress/node_modules/imagemin-svgo/node_modules/is-svg/package.json,sophi-for-wordpress/node_modules/is-svg/package.json

Dependency Hierarchy:

• 10up-toolkit-1.0.9.tgz (Root Library)
  • imagemin-webpack-plugin-2.4.2.tgz
    • imagemin-svgo-7.1.0.tgz
      • ❌ is-svg-4.3.1.tgz (Vulnerable Library)

Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41

Found in base branch: develop

Vulnerability Details

A vulnerability was discovered in IS-SVG version 4.3.1 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.

Publish Date: 2021-06-21

URL: CVE-2021-29059

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

There are some changes and additions needed for the tracking data that gets collected, to help with site automation results.

New Fields

• type: Should be a string with one of the following values: article, video, audio, or image. Most content will be article. Propose we use the post format feature to determine this, as it directly supports all of these types. In addition, suggest we add a new filter around this to make it easy for sites to customize this (we'll want validation on this to ensure the value this filter returns is only one of those types)
• url: Should be a string that contains the main URL of the content. This is replacing the existing canonicalURL field
• isCanonical: Should be a boolean value. true if this item is the canonical resource. Default for most items will be true
• promoImageUri: Should be a string that points to the URL of the featured image (should ensure we use the full size image)

Changes to Existing Fields

• canonicalURL: This field is being removed and replaced by url and isCanonical
• sectionNames: This is an existing field but it needs to be changed to an array of strings. If a piece of content has multiple sections (like /news/local/SLUG), this field should be ['news', 'local']. If it only has a single section (like /news/), this field should be ['news']. The first section in the URL should always show first in this array
• plainText: This field already exists but we need new logic here to check if a piece of content has any text at all and if not, this field should be omitted. This applies mostly to non-article content that may not contain any text
• datePublished: Field needs to be renamed to publishedAt
• dateModified: Field needs to be renamed to modifiedAt

CVE-2020-28469 - High Severity Vulnerability

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/imagemin/node_modules/glob-parent/package.json

Dependency Hierarchy:

• 10up-toolkit-2.1.1.tgz (Root Library)
  • imagemin-webpack-plugin-2.4.2.tgz
    • imagemin-6.1.0.tgz
      • globby-8.0.2.tgz
        • fast-glob-2.2.7.tgz
          • ❌ glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41

Found in base branch: develop

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23364 - Medium Severity Vulnerability

Vulnerable Library - browserslist-4.16.3.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.16.3.tgz

Path to dependency file: sophi-for-wordpress/package.json

Path to vulnerable library: sophi-for-wordpress/node_modules/browserslist/package.json

Dependency Hierarchy:

• scripts-1.3.1.tgz (Root Library)
  • postcss-preset-env-6.7.0.tgz
    • ❌ browserslist-4.16.3.tgz (Vulnerable Library)

Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41

Found in base branch: develop

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution: browserslist - 4.16.5

Step up your Open Source Security Game with WhiteSource here

WS-2021-0154 - Medium Severity Vulnerability

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: sophi-for-wordpress/package.json

Path to vulnerable library: sophi-for-wordpress/node_modules/imagemin/node_modules/glob-parent/package.json,sophi-for-wordpress/node_modules/webpack-dev-server/node_modules/glob-parent/package.json

Dependency Hierarchy:

• 10up-toolkit-1.0.10.tgz (Root Library)
  • imagemin-webpack-plugin-2.4.2.tgz
    • imagemin-6.1.0.tgz
      • globby-8.0.2.tgz
        • fast-glob-2.2.7.tgz
          • ❌ glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41

Found in base branch: develop

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in glob-parent before 5.1.2.

Publish Date: 2021-01-27

URL: WS-2021-0154

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2

Release Date: 2021-01-27

Fix Resolution: glob-parent - 5.1.2

Step up your Open Source Security Game with WhiteSource here

It looks like there are a handful of TODO statements still in the code. Ideally these would be addressed or if they are no longer relevant, those statements would be removed.

I'm seeing two of these in /includes/classes/Curator/Request.php and one in /includes/blocks/curator-block/edit.js

Is your enhancement related to a problem? Please describe.
This plugin was initially developed targeting WordPress VIP, but now that we're broadening the audience to WordPress.org we'll need to update our WP-CLI command to work on non-VIP environments.

Describe the solution you'd like

• Duplicate command and remove any VIP-specific items
• update readme docs to not VIP and non-VIP command details

Designs
n/a

Describe alternatives you've considered
n/a

Additional context
n/a

In order to better capture widget groupings, we need to add a new data attribute to the main container that is used for the site automation widgets.

This attribute takes the form data-sophi-feature="Widget Name"

As an example:

<div class="wp-block-trending" data-sophi-feature="trending"> 
    <h3>Trending</h3>
    <ul>...</ul>
</div>

We currently have a widget name field on the Site Automation block, so I propose that name is what is used for this data attribute. From the examples we've been given, it looks like this name should be lowercase and spaces should be replaced with dashes, so might need to pass the widget name through sanitization to achieve this.

For direct integrations with WP_Query, this data attribute will need to be added on a site-by-site basis. We probably need to update documentation to mention this.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Update dependency @10up/block-components to v1.16.2
• Update dependency @wordpress/icons to v9.31.0
• Update dependency phpunit/phpunit to v9.6.11
• Update dependency snowplow/snowplow-tracker to v0.7.0
• Update dependency 10up-toolkit to v5
• Update dependency dealerdirect/phpcodesniffer-composer-installer to v1
• Update dependency jsdoc to v4
• Update dependency phpunit/phpunit to v10
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Minor suggestion but thinking we may want to move the get_supported_post_types function from the core.php file to the utils.php file. This seems more like a utility function, though moving would require updating the namespace anywhere this function is used.

Is your enhancement related to a problem? Please describe.
VIP just released version 2.3.0 of their Coding Standards, we should ensure the plugin updates to use these new standards.

Describe the solution you'd like

• update linting to utilize VIPCS 2.3.0
• resolve any errors/warnings thrown by the updated linting

Designs

Describe alternatives you've considered

Additional context

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Libraries - phpunit/php-code-coverage-7.0.15, jquery-3.4.1.min.js

phpunit/php-code-coverage-7.0.15

Library that provides collection, processing, and rendering functionality for PHP code coverage information.

Library home page: https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/819f92bba8b001d4363065928088de22f25a3a48

Dependency Hierarchy:

• phpunit/phpunit-8.5.30 (Root Library)
  • ❌ phpunit/php-code-coverage-7.0.15 (Vulnerable Library)

jquery-3.4.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js

Path to vulnerable library: /vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/jquery.min.js

Dependency Hierarchy:

• ❌ jquery-3.4.1.min.js (Vulnerable Library)

Found in HEAD commit: 23a26be24eec064a68e5fa5b526726372d41a3fd

Found in base branch: develop

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Step up your Open Source Security Game with Mend here

Describe the bug
The following is unconfirmed in a dev or local environment, but worth sharing in case there is something off with the CLI command that runs in VIP.

Steps to Reproduce

I’m running the CLI command for sophi on the VIP production site and two observations:

• the plugin ran in dry mode without me asking it to
• I set a limit of 1000 and per page of 10, I’d expect “Preparing for the next batch...” a hundred times (a progress bar would be nicer) but it’s been about 300 of those by now

Expected behavior

Screenshots

Environment information

• Device:
• OS:
• Browser and version:
• WordPress version:

• Plugins and version:
• Theme and version:

• Site Health Info:

Additional context

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-3.4.1.min.js, phpunit/php-code-coverage-7.0.15

jquery-3.4.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js

Path to vulnerable library: /vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/jquery.min.js

Dependency Hierarchy:

• ❌ jquery-3.4.1.min.js (Vulnerable Library)

phpunit/php-code-coverage-7.0.15

Library that provides collection, processing, and rendering functionality for PHP code coverage information.

Library home page: https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/819f92bba8b001d4363065928088de22f25a3a48

Dependency Hierarchy:

• phpunit/phpunit-8.5.30 (Root Library)
  • ❌ phpunit/php-code-coverage-7.0.15 (Vulnerable Library)

Found in HEAD commit: 23a26be24eec064a68e5fa5b526726372d41a3fd

Found in base branch: develop

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with Mend here

CVE-2021-23382 - Medium Severity Vulnerability

Vulnerable Library - postcss-5.2.18.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-5.2.18.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/postcss-object-fit-images/node_modules/postcss/package.json

Dependency Hierarchy:

• 10up-toolkit-2.1.1.tgz (Root Library)
  • postcss-object-fit-images-1.1.2.tgz
    • ❌ postcss-5.2.18.tgz (Vulnerable Library)

Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41

Found in base branch: develop

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution: postcss - 8.2.13

Step up your Open Source Security Game with WhiteSource here

The project could not be analyzed because of build errors. Please review the error messages here. Another build will be scheduled when a change to a manifest file^* occurs. If the build is successful this issue will be closed, otherwise the error message will be updated.

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}

_{* Supported manifest files are: pom.xml, package.json, package-lock.json, npm-shrinkwrap.json, Cargo.lock, Cargo.toml, main.rs, lib.rs, build.gradle, build.gradle.kts, settings.gradle, settings.gradle.kts, gradle.properties, gradle-wrapper.properties, go.mod, go.sum}

CVE-2021-28092 - High Severity Vulnerability

Vulnerable Library - is-svg-3.0.0.tgz

Check if a string or buffer is SVG

Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz

Path to dependency file: sophi-for-wordpress/package.json

Path to vulnerable library: sophi-for-wordpress/node_modules/is-svg/package.json

Dependency Hierarchy:

• scripts-1.3.1.tgz (Root Library)
  • cssnano-4.1.10.tgz
    • cssnano-preset-default-4.0.7.tgz
      • postcss-svgo-4.0.2.tgz
        • ❌ is-svg-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41

Found in base branch: develop

Vulnerability Details

The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

Publish Date: 2021-03-12

URL: CVE-2021-28092

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092

Release Date: 2021-03-12

Fix Resolution: v4.2.2

Step up your Open Source Security Game with WhiteSource here

Is your enhancement related to a problem? Please describe.
Once WordPress 5.8 is released, we'll want to test Sophi to see if any incompatibility issues arise.

Describe the solution you'd like

• test Sophi on WordPress 5.8
• open issues for any incompatibilities noted in testing
• resolve issues identified in testing
• bump "tested up to" version
• if code changes needed due to incompatibilities, ship a plugin release

Designs
n/a

Describe alternatives you've considered
none

Additional context
n/a

This issue is for tracking changes for the 1.0.3 release. Target release date: 15 June 2021.

Release steps

• Branch: Starting from develop, cut a release branch named release/1.0.3 for your changes.
• Version bump: Bump the version number in sophi.php, package.json, and readme.txt if it does not already reflect the version being released. Update both the plugin "Version:" property and the plugin SOPHI_WP_VERSION constant in sophi.php.
• Changelog: Add/update the changelog in CHANGELOG.md and readme.txt.
• Props: Update CREDITS.md with any new contributors, confirm maintainers are accurate.
• Readme updates: Make any other readme changes as necessary. README.md is geared toward GitHub and readme.txt contains WordPress.org-specific content. The two are slightly different.
• New files: Check to be sure any new files/paths that are unnecessary in the production version are included in .distignore.
• Merge: Make a non-fast-forward merge from your release branch to develop (or merge the Pull Request), then do the same for develop into trunk (git checkout trunk && git merge --no-ff develop). trunk contains the stable development version.
• Test: While still on the trunk branch, test for functionality locally.
• Push: Push your trunk branch to GitHub (e.g. git push origin trunk).
• Release: Create a new release, naming the tag and the release with the new version number, and targeting the trunk branch. Paste the changelog from CHANGELOG.md into the body of the release and include a link to the closed issues on the milestone. The release should now appear under releases.
• SVN: Wait for the GitHub Action to finish deploying to the WordPress.org repository. If all goes well, users with SVN commit access for that plugin will receive an emailed diff of changes.
• Check WordPress.org: Ensure that the changes are live on https://wordpress.org/plugins/sophi/. This may take a few minutes.
• Close milestone: Edit the milestone with release date (in the Due date (optional) field) and link to GitHub release (in the Description field), then close the milestone.
• Punt incomplete items: If any open issues or PRs which were milestoned for 1.0.3 do not make it into the release, update their milestone to 1.1.0 or Future Release.
• Version bump (again): In the develop branch (cd ../ && git checkout develop) bump the version number in sophi.php to 1.0.4-dev. It's okay if the next release might be a different version number; that change can be handled right before release in the first step, as might also be the case with @since annotations.

CVE-2021-23362 - Medium Severity Vulnerability

Vulnerable Library - hosted-git-info-2.8.8.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz

Path to dependency file: sophi-for-wordpress/package.json

Path to vulnerable library: sophi-for-wordpress/node_modules/hosted-git-info/package.json

Dependency Hierarchy:

• scripts-1.3.1.tgz (Root Library)
  • read-pkg-5.2.0.tgz
    • normalize-package-data-2.5.0.tgz
      • ❌ hosted-git-info-2.8.8.tgz (Vulnerable Library)

Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41

Found in base branch: develop

Vulnerability Details

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Publish Date: 2021-03-23

URL: CVE-2021-23362

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-43f8-2h32-f4cj

Release Date: 2021-03-23

Fix Resolution: hosted-git-info - 2.8.9,3.0.8

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7753 - High Severity Vulnerability

Vulnerable Library - trim-0.0.1.tgz

Trim string whitespace

Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz

Path to dependency file: sophi-for-wordpress/package.json

Path to vulnerable library: sophi-for-wordpress/node_modules/trim/package.json

Dependency Hierarchy:

• scripts-1.3.1.tgz (Root Library)
  • stylelint-config-1.0.11.tgz
    • stylelint-9.10.1.tgz
      • postcss-markdown-0.36.0.tgz
        • remark-10.0.1.tgz
          • remark-parse-6.0.3.tgz
            • ❌ trim-0.0.1.tgz (Vulnerable Library)

Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41

Found in base branch: develop

Vulnerability Details

All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Publish Date: 2020-10-27

URL: CVE-2020-7753

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: component/trim#8

Release Date: 2020-10-27

Fix Resolution: trim - 0.0.3

Step up your Open Source Security Game with WhiteSource here

CVE-2021-33502 - High Severity Vulnerability

Vulnerable Library - normalize-url-2.0.1.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-2.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/cacheable-request/node_modules/normalize-url/package.json

Dependency Hierarchy:

• 10up-toolkit-2.1.1.tgz (Root Library)
  • imagemin-webpack-plugin-2.4.2.tgz
    • imagemin-optipng-6.0.0.tgz
      • optipng-bin-5.1.0.tgz
        • bin-wrapper-4.1.0.tgz
          • download-7.1.0.tgz
            • got-8.3.2.tgz
              • cacheable-request-2.1.4.tgz
                • ❌ normalize-url-2.0.1.tgz (Vulnerable Library)

Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41

Found in base branch: develop

Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution: normalize-url - 4.5.1, 5.3.1, 6.0.1

Step up your Open Source Security Game with WhiteSource here

Is your enhancement related to a problem? Please describe.
Add our hook doc action and ensure we're using JSDoc-formatted docblocks for our hooks so that we can generate this developer-friendly docs site from the plugin.

Describe the solution you'd like

Designs

Describe alternatives you've considered

Additional context

CVE-2021-23424 - High Severity Vulnerability

Vulnerable Library - ansi-html-0.0.7.tgz

An elegant lib that converts the chalked (ANSI) text to HTML.

Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ansi-html/package.json

Dependency Hierarchy:

• 10up-toolkit-1.0.13.tgz (Root Library)
  • webpack-dev-server-3.11.2.tgz
    • ❌ ansi-html-0.0.7.tgz (Vulnerable Library)

Found in base branch: develop

Vulnerability Details

This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.

Publish Date: 2021-08-18

URL: CVE-2021-23424

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23424

Release Date: 2021-08-18

Fix Resolution: VueJS.NetCore - 1.1.1;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;CoreVueWebTest - 3.0.101;dotnetng.template - 1.0.0.4;Fable.Template.Elmish.React - 0.1.6;SAFE.Template - 3.0.1;GR.PageRender.Razor - 1.8.0;Envisia.DotNet.Templates - 3.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2021-32640 - Medium Severity Vulnerability

Vulnerable Library - ws-7.4.4.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-7.4.4.tgz

Path to dependency file: sophi-for-wordpress/package.json

Path to vulnerable library: sophi-for-wordpress/node_modules/ws/package.json

Dependency Hierarchy:

• scripts-1.3.1.tgz (Root Library)
  • webpack-bundle-analyzer-4.4.0.tgz
    • ❌ ws-7.4.4.tgz (Vulnerable Library)

Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41

Found in base branch: develop

Vulnerability Details

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Publish Date: 2021-05-25

URL: CVE-2021-32640

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6fc8-4gx4-v693

Release Date: 2021-05-25

Fix Resolution: ws - 7.4.6

Step up your Open Source Security Game with WhiteSource here

This issue is for tracking changes for the 1.0.0 release. Target release date: 14 April 2021.

Release steps

• Branch: Starting from develop, cut a release branch named release/1.0.0 for your changes.
• Version bump: Bump the version number in sophi-for-wordpress.php, package.json, and readme.txt if it does not already reflect the version being released. Update both the plugin "Version:" property and the plugin SOPHI_WP_VERSION constant in sophi-for-wordpress.php.
• Changelog: Add/update the changelog in CHANGELOG.md and readme.txt.
• Props: Update CREDITS.md with any new contributors, confirm maintainers are accurate.
• Readme updates: Make any other readme changes as necessary. README.md is geared toward GitHub and readme.txt contains WordPress.org-specific content. The two are slightly different.
• New files: Check to be sure any new files/paths that are unnecessary in the productino version are included in .github/action-release/rsync-filter.txt.
• Merge: Make a non-fast-forward merge from your release branch to develop (or merge the Pull Request), then do the same for develop into trunk (git checkout trunk && git merge --no-ff develop). trunk contains the stable development version.
• Test: While still on the trunk branch, test for functionality locally.
• Push: Push your trunk branch to GitHub (e.g. git push origin trunk).
• Wait for build: Head to the Actions tab in the repo and wait for it to finish if it hasn't already. If it doesn't succeed, figure out why and start over.
• Check the build: Check out the stable branch and test for functionality locally.
• Release: Create a new release, naming the tag and the release with the new version number, and targeting the stable branch. Paste the changelog from CHANGELOG.md into the body of the release and include a link to the closed issues on the milestone. The release should now appear under releases.
• Close milestone: Edit the milestone with release date (in the Due date (optional) field) and link to GitHub release (in the Description field), then close the milestone.
• Punt incomplete items: If any open issues or PRs which were milestoned for 1.0.0 do not make it into the release, update their milestone to 1.1.0 or Future Release.
• Version bump (again): In the develop branch (cd ../ && git checkout develop) bump the version number in sophi-for-wordpress.php to 1.0.1-dev. It's okay if the next release might be a different version number; that change can be handled right before release in the first step, as might also be the case with @since annotations.

CVE-2020-36048 - High Severity Vulnerability

Vulnerable Library - engine.io-3.5.0.tgz

The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server

Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/engine.io/package.json

Dependency Hierarchy:

• 10up-toolkit-2.1.1.tgz (Root Library)
  • browser-sync-2.27.7.tgz
    • socket.io-2.4.0.tgz
      • ❌ engine.io-3.5.0.tgz (Vulnerable Library)

Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41

Found in base branch: develop

Vulnerability Details

Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

Publish Date: 2021-01-08

URL: CVE-2020-36048

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048

Release Date: 2021-01-08

Fix Resolution: engine.io - 4.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-3749 - High Severity Vulnerability

Vulnerable Library - axios-0.21.1.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz

Path to dependency file: sophi-for-wordpress/package.json

Path to vulnerable library: sophi-for-wordpress/node_modules/axios/package.json

Dependency Hierarchy:

• 10up-toolkit-1.0.11.tgz (Root Library)
  • browser-sync-2.27.5.tgz
    • localtunnel-2.0.1.tgz
      • ❌ axios-0.21.1.tgz (Vulnerable Library)

Found in base branch: develop

Vulnerability Details

axios is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-08-31

URL: CVE-2021-3749

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/axios/axios/releases/tag/v0.21.2

Release Date: 2021-08-31

Fix Resolution: axios - 0.21.2

Step up your Open Source Security Game with WhiteSource here

Is your enhancement related to a problem? Please describe.
In a recent check-in meeting with the Sophi team and one of their integration projects, it was identified that a schema update is likely warranted. I'm opening this ticket to capture that work, though we will need to get confirmation from the Sophi team on what schema (e.g. the json-schema?) needs to be updated and to what value before proceeding.

Describe the solution you'd like

Designs

Describe alternatives you've considered

Additional context

This issue is for tracking changes for the 1.0.2 release. Target release date: 26 April 2021.

Release steps

• Branch: Starting from develop, cut a release branch named release/1.0.2 for your changes.
• Version bump: Bump the version number in sophi.php, package.json, and readme.txt if it does not already reflect the version being released. Update both the plugin "Version:" property and the plugin SOPHI_WP_VERSION constant in sophi.php.
• Changelog: Add/update the changelog in CHANGELOG.md and readme.txt.
• Props: Update CREDITS.md with any new contributors, confirm maintainers are accurate.
• Readme updates: Make any other readme changes as necessary. README.md is geared toward GitHub and readme.txt contains WordPress.org-specific content. The two are slightly different.
• New files: Check to be sure any new files/paths that are unnecessary in the production version are included in .github/action-release/rsync-filter.txt.
• Merge: Make a non-fast-forward merge from your release branch to develop (or merge the Pull Request), then do the same for develop into trunk (git checkout trunk && git merge --no-ff develop). trunk contains the stable development version.
• Test: While still on the trunk branch, test for functionality locally.
• Push: Push your trunk branch to GitHub (e.g. git push origin trunk).
• Wait for build: Head to the Actions tab in the repo and wait for it to finish if it hasn't already. If it doesn't succeed, figure out why and start over.
• Check the build: Check out the stable branch and test for functionality locally.
• Release: Create a new release, naming the tag and the release with the new version number, and targeting the stable branch. Paste the changelog from CHANGELOG.md into the body of the release and include a link to the closed issues on the milestone. The release should now appear under releases.
• Close milestone: Edit the milestone with release date (in the Due date (optional) field) and link to GitHub release (in the Description field), then close the milestone.
• Punt incomplete items: If any open issues or PRs which were milestoned for 1.0.2 do not make it into the release, update their milestone to 1.1.0 or Future Release.
• Version bump (again): In the develop branch (cd ../ && git checkout develop) bump the version number in sophi.php to 1.0.3-dev. It's okay if the next release might be a different version number; that change can be handled right before release in the first step, as might also be the case with @since annotations.

Currently we have a composer script that will run phpcs (for instance, if you run composer run lint, it will run the command phpcs. We are loading the proper WP VIP coding standards so this command does most of what we want.

But we can be a little more specific in that command, which will also ensure we are scanning JS files. I'd suggest we update that to be something more robust like:
phpcs --standard=WordPress-VIP-Go -sp --basepath=. --ignore=*/vendor/*,*/node_modules/*,*/tests/*,*/phpunit.xml* .

Might also make sense to make this same update in our lint workflow.

This issue is for tracking changes for the 1.0.1 release. Target release date: 23 April 2021.

Release steps

• Branch: Starting from develop, cut a release branch named release/1.0.1 for your changes.
• Version bump: Bump the version number in sophi.php, package.json, and readme.txt if it does not already reflect the version being released. Update both the plugin "Version:" property and the plugin SOPHI_WP_VERSION constant in sophi.php.
• Changelog: Add/update the changelog in CHANGELOG.md and readme.txt.
• Props: Update CREDITS.md with any new contributors, confirm maintainers are accurate.
• Readme updates: Make any other readme changes as necessary. README.md is geared toward GitHub and readme.txt contains WordPress.org-specific content. The two are slightly different.
• New files: Check to be sure any new files/paths that are unnecessary in the production version are included in .github/action-release/rsync-filter.txt.
• Merge: Make a non-fast-forward merge from your release branch to develop (or merge the Pull Request), then do the same for develop into trunk (git checkout trunk && git merge --no-ff develop). trunk contains the stable development version.
• Test: While still on the trunk branch, test for functionality locally.
• Push: Push your trunk branch to GitHub (e.g. git push origin trunk).
• Wait for build: Head to the Actions tab in the repo and wait for it to finish if it hasn't already. If it doesn't succeed, figure out why and start over.
• Check the build: Check out the stable branch and test for functionality locally.
• Release: Create a new release, naming the tag and the release with the new version number, and targeting the stable branch. Paste the changelog from CHANGELOG.md into the body of the release and include a link to the closed issues on the milestone. The release should now appear under releases.
• Close milestone: Edit the milestone with release date (in the Due date (optional) field) and link to GitHub release (in the Description field), then close the milestone.
• Punt incomplete items: If any open issues or PRs which were milestoned for 1.0.1 do not make it into the release, update their milestone to 1.0.2, 1.1.0, or Future Release.
• Version bump (again): In the develop branch (cd ../ && git checkout develop) bump the version number in sophi.php to 1.0.2-dev. It's okay if the next release might be a different version number; that change can be handled right before release in the first step, as might also be the case with @since annotations.

Is your enhancement related to a problem? Please describe.
Some Sophi users may have a headless WordPress setup, so let's make sure we consider that and describe in the docs what they might need to do differently to integrate with Sophi (e.g., ensure they're firing the JS tracking themselves).

Describe the solution you'd like

Designs

Describe alternatives you've considered

Additional context

When activating the plugin, it will try to load https://https//collector.sophi.io/com.snowplowanalytics.snowplow/tp2 even if the plugin has not been configured yet (also note the incorrect address).

Ideally the plugin would do nothing unless properly configured.

CVE-2021-23343 - High Severity Vulnerability

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: sophi-for-wordpress/package.json

Path to vulnerable library: sophi-for-wordpress/node_modules/path-parse/package.json

Dependency Hierarchy:

• scripts-1.3.1.tgz (Root Library)
  • babel-eslint-10.1.0.tgz
    • resolve-1.20.0.tgz
      • ❌ path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41

Found in base branch: develop

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: jbgutierrez/path-parse#8

Release Date: 2021-05-04

Fix Resolution: path-parse - 1.0.7

Step up your Open Source Security Game with WhiteSource here

Describe the bug
Somewhere within the changes in #109 and #116 (or potentially elsewhere that I have not accounted for) we introduced the ability to send an array to Sophi of post authors. This presumably takes the WP Core default author and appends whatever other plugins may add as additional authors/bylines (e.g., Co-Authors Plus). It seems that somewhere in these various set up configs that we allow either an empty string or a null reference for an author/byline (I forget specifically how Sophi calls this field) to get passed to Sophi which is then causing the entire data set to be tossed out. We should ensure what we send to Sophi for author/byline does not include an invalid empty string or null reference (though we should ensure we get precise confirmation from the Sophi team on what is / is not permissible on their end before making a change here).

Steps to Reproduce

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior

Screenshots

Environment information

• Device:
• OS:
• Browser and version:
• WordPress version:

• Plugins and version:
• Theme and version:

• Site Health Info:

Additional context

Describe the bug

Steps to Reproduce

1. Go to settings page
2. Enter the Site Automation URL value without https
3. Save settings
4. A notification is shown that says "Site Automation URL is invalid."

Expected behavior
The plugin should add the scheme automatically

Along the same lines, the Collector URL setting requires a URL without scheme, this is confusing and could be handled more gracefully.

Is your enhancement related to a problem? Please describe.
Once the repo is transfered from https://github.com/10up to https://github.com/globeandmail we'll need to rename a handful of places from 10up to globeandmail, likely https://github.com/10up/sophi-for-wordpress/search?q=10up.

Describe the solution you'd like

• Update all references from 10up to globeandmail.

Designs
n/a

Describe alternatives you've considered
n/a

Additional context
n/a

CVE-2021-33623 - High Severity Vulnerability

Vulnerable Library - trim-newlines-1.0.0.tgz

Trim newlines from the start and/or end of a string

Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/trim-newlines/package.json

Dependency Hierarchy:

• 10up-toolkit-2.1.1.tgz (Root Library)
  • imagemin-webpack-plugin-2.4.2.tgz
    • imagemin-optipng-6.0.0.tgz
      • optipng-bin-5.1.0.tgz
        • logalot-2.1.0.tgz
          • squeak-1.3.0.tgz
            • lpad-align-1.1.2.tgz
              • meow-3.7.0.tgz
                • ❌ trim-newlines-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: f53708b0035f054189b00c3ec0de1de8c8799b41

Found in base branch: develop

Vulnerability Details

The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

Publish Date: 2021-05-28

URL: CVE-2021-33623

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623

Release Date: 2021-05-28

Fix Resolution: trim-newlines - 3.0.1, 4.0.1

Step up your Open Source Security Game with WhiteSource here

Is your enhancement related to a problem? Please describe.
Adding a Sophi option/setting to "Ignore homepage for content sync to Sophi" and displaying what is set for the site homage at Reading Settings > Your homepage displays with an edit link to direct Sophi users to http://test.local/wp-admin/options-reading.php for updating. We may also want to consider that some sites may not be using that setting and instead have some other control for handling the site homepage and as such provide a way to adjust what is considered the "homepage" for the site and should be ignored.

This is best as I can recall/describe the discussion with a Sophi integration client, but additional input from the Sophi team to ensure this is described correctly is warranted.

Describe the solution you'd like

Designs

Describe alternatives you've considered

Additional context