iThemes Patches Vulnerability that Affects All Versions of the iThemes Security Plugin

iThemes has released new versions of iThemes Security and iThemes Security Pro to address a critical security vulnerability. Every version of both plugins is at risk, including Better WP Security 3.0. The vulnerability allowed potentially dangerous JavaScript to run when viewing 404 logs.

When the 404 Detection feature is enabled, data about requests for non-existent pages are stored in the database. Attackers could potentially add JavaScript code to these page requests, which would then be stored. This update fixes a security flaw that could allow those scripts to run when viewing the Security > Logs page

If you’re using iThemes Security Pro, there are three ways to update:

  • Update immediately now from the Sync Dashboard
  • Update directly from the WordPress dashboard for licensed Pro sites
  • Download the latest version from the iThemes Member Panel

If you’re using iThemes Security, visit Dashboard – Updates to install the latest version. Every branch of iThemes Security has been patched. To check if you’re running a patched version, please review the following information.

  • If you were running on 4.6 or higher, you’ll auto-update to 4.6.13
  • If you were running on 4.5.*, you’ll auto-update to 4.5.11
  • If you were running on 4.4.*, you’ll auto-update to 4.4.24
  • If you were running on 4.3.*, you’ll auto-update to 4.3.12
  • If you were running on 4.2.*, you’ll auto-update to 4.2.16
  • If you were running on 4.1.*, you’ll auto-update to 4.1.6
  • If you were running on 4.0.*, you’ll auto-update to 4.0.28
  • If you were running on 3.6.*, you’ll auto-update to 3.6.7
  • If you were running on 3.5.*, you’ll auto-update to 3.5.7
  • If you were running on 3.4.*, you’ll auto-update to 3.4.11
  • If you were running on 3.3.*, you’ll auto-update to 3.3.1
  • If you were running on 3.2.*, you’ll auto-update to 3.2.8

Ole Aass is credited with discovering and responsibly disclosing the vulnerability. The WordPress.org security team has pushed out an automatic update, but if you haven’t received it yet, manually update as soon as possible.