Akismet 3.1.5 Fixes Critical XSS Security Vulnerability

If you use Akismet to battle comment spam, make sure it’s running version 3.1.5 as it patches a critical security vulnerability. Due to the nature of the bug, the Akismet team pushed out auto updates to sites that can accept them. According to Sucuri, sites using Akismet 3.1.4 and lower and that have the Convert emoticons like :-) and 😛 to graphics on display option enabled, are at risk.

The vulnerability stems from the way Akismet handles hyperlinks within a site’s comments. An attacker with sufficient knowledge of WordPress’ internals could insert malicious scripts in the Comment section of the WordPress backend. This type of attack could lead to a number of other attacks, including compromising an entire site.

So far, Akismet developers don’t have any evidence that the vulnerability is actively being exploited in the wild. Because the vulnerability is theoretically exploitable via comments, Akismet is blocking attempts during the comment-check API call so that sites not running the most recent version are protected. However, you should still upgrade immediately to 3.1.5.

There is one comment

Comments are closed.