security

WP eCommerce 3.11.4 Patches SQL Injection Vulnerability

Over the weekend, the WP eCommerce team released version 3.11.4 of its e-commerce plugin. The update patches an SQL injection vulnerability that was responsibly disclosed by Mika Epstein, a member of the WordPress.org plugin review team. According to Justin Sainton, lead developer of WP eCommerce, the team was notified of the vulnerability on (more…)

ManageWP Launches Automated Security Scanning

When ManageWP allowed users to perform security scans of websites through the Orion interface in December of 2015, a feature commonly requested by customers was the ability to automate the scans. Nine months after implementing security checks for customers, ManageWP has added automated security scans to its assortment of features. The automated security (more…)

WordPress 4.6.1 Released, Patches Two Security Vulnerabilities

WordPress 4.6.1 is available and users are strongly encouraged to update immediately as it patches two security vulnerabilities. The first is a cross-site scripting vulnerability related to image filenames that was reported by Cengiz Han Sahin, a SumOfPwn researcher. The second is a path traversal vulnerability in the upgrade package (more…)

Jetpack 4.2 Released with Performance and Security Updates

Jetpack 4.2 is a combination release with performance improvements and fixes for a couple of security vulnerabilities. These updates secure Contact Form submission exports from potential formula injections and fix a general XSS vulnerability in the misuse of the add_query_arg() function. The majority of enhancements in this release are centered (more…)

TechCrunch Hacked by OurMine, Attackers Target Weak Passwords

TechCrunch is the latest victim in OurMine’s summer hacking rampage. The site, which is powered by WordPress and hosted via WordPress.com VIP, was hacked this morning and defaced with a message from the attackers who identify themselves as an “elite hacker group.” TechCrunch’s news ticker was updated to display: “Hello (more…)

bbPress 2.5.10 Patches Security Vulnerability

John James Jacoby, lead developer of bbPress, has released bbPress 2.5.10 to patch a security vulnerability in all previous versions of the 2.X branch. This release also contains security hardening improvements where user display names and avatars are commonly displayed together. Jacoby notes that these changes affect bbPress only and don’t impact third-party (more…)

All in One SEO 2.3.7 Patches Persistent XSS Vulnerability

Semper Fi Web Design, the company behind All in One SEO, a popular WordPress SEO optimization plugin that’s active on more than 1M sites, has released 2.3.7 to patch a persistent XSS security vulnerability. According to the plugin’s changelog, 2.3.7 sanitizes the Bad Bots module referer and user agent. While it doesn’t sound (more…)

WordPress 4.5.3 Fixes 7 Security Issues

WordPress 4.5.3 was released today to fix seven important security issues that affect 4.5.2 and prior versions. Automatic background updates are already rolling out and all users are advised to update immediately. The release patches the following security issues: Redirect bypass in the customizer (reported by Yassine Aboukir) Two different (more…)