The core WordPress team released version 5.2.4 of WordPress on October 14. The release addresses six security issues that were all privately reported through WordPress’ responsible disclosure procedure. Like any security release, users should update immediately to the latest version to keep their sites secure. For those with automatic updates (more…)
After tracking exploits of a zero day XSS vulnerability in the Rich Reviews plugin for WordPress, Wordfence is recommending that users remove it from their websites. The company estimates that there are 16,000 active installations vulnerable to unauthenticated plugin option updates: Attackers are currently abusing this exploit chain to inject (more…)
WordPress contributors, developers, and community members are currently debating a proposal to would implement a new policy regarding security support for older versions. The discussion began last week when security team lead Jake Spurlock asked for feedback on different approaches to backporting security fixes to older versions. Following up on (more…)
The WordPress Security Team is exploring different approaches to backporting security fixes to older versions of the software. The effort that goes into supporting versions back to 3.7 (the release that introduced automatic background updates) increases with each major version released. “For the Core Security team, that means when security (more…)
There’s a new release of WP Super Cache (1.6.9) available that patches a security issue discovered in the debug log. The vulnerability can only be exploited if users have debugging enabled. It’s highly recommended that all users upgrade to 1.6.9 to patch the security issue. Details of the vulnerability will (more…)
Those who use the All-in-One WP Migration plugin are encouraged to update to version 7.0 as soon as possible as 6.97 contains an admin backend cross-site-scripting vulnerability. An attacker would already have to be able to either compromise the database or gain access to a user account with high enough (more…)
In this episode, John James Jacoby and I discuss an article published by Vox on how Slack is not improving productivity, especially in large team environments. We highlight what’s new in WordPress 5.2.1, why libraries are important to the communities they serve, and new security features in WordPress 5.2. At (more…)
WordPress 5.2, released earlier this month, added the first step towards fully secure updates with offline digital signatures. Scott Arciszewski, Chief Development Officer for Paragon Initiative Enterprises, explains how it works and how developers can migrate away from mcrypt to libsodium. When your WordPress site installs an automatic update, from (more…)
A security service called Plugin Vulnerabilities, founded by John Grillot, is taking a vigilante approach to addressing grievances against WordPress.org support forum moderators. The company is protesting the moderators’ actions by publishing zero-day vulnerabilities (those for which no patch has been issued) and then attempting to contact the plugin author (more…)
Over the weekend, Pipdig, a small commercial theme company, has been at the center of a scandal after multiple reports exposed a litany of unethical code additions to its Pipdig Power Pack (P3) plugin. On Friday, March 29, Wordfence threat analyst Mikey Veenstra published a report with code examples of (more…)
In this episode, John James Jacoby and I are joined by Sandy Edwards. Sandy gave us a behind the scenes look at what it takes to organize a WordPress event for children and teens. She also provides background information on a new group that’s been formed called the Kids Events (more…)
WordPress 5.1.1 was released yesterday evening with an important security update for a critical cross-site scripting vulnerability found in 5.1 and prior versions. The release post credited Simon Scannell of RIPS Technologies for discovering and reporting the vulnerability. Scannell published a post summarizing how an unauthenticated attacker could take over (more…)