DEV Community

devMode.fm

Critical SEOmatic SSTI Vulnerability Post-Mortem

Hosted by Matt Stein, on this episode we talk to Andrew Welch from nystudio107, Nevin Lyne from Arcus Tech, and Brad Bell from Pixel & Tonic.

The discussion centers around a recent critical Server Site Template Injection (SSTI) & Remote Code Execution (RCE) exploit in the SEOmatic plugin for Craft CMS.

We discuss a timeline of what transpired, and walk through the discovery process as in the wild exploits were found.

We also talk about whether you should be concerned, and update to the patched SEOmatic 3.3.0 or later (spoiler: you should, and you should).

We also go into steps that Pixel & Tonic, plugin developers, and frontend developers producing sites can take to

Episode source