Jetpack 4.0.4 is available for download and users are encouraged to update as soon as possible. This release contains a number of security fixes, including extra security to post by email, a patched XSS vulnerability in the Likes module, and a fix to ensure that submitted Feedback forms are not publicly available via the REST…
Yesterday the security team at Wordfence disclosed a critical remote code execution vulnerability in the EWWW Image Optimizer to Shane Bishiop, the plugin’s author. Bishop acted quickly to patch the plugin and an update was pushed out to WordPress.org users this morning. According to Wordfence, the vulnerability affects multisite WordPress installations, allowing an attacker to…
Researchers at Sucuri are reporting that the WP Mobile Detector plugin has been patched for an arbitrary file upload vulnerability that is being actively exploited in the wild. The plugin, which was temporarily removed from the WordPress Plugin Directory, had more than 10,000 active installs before the exploits began. According to Sucuri, the majority of…
Jetpack 4.0.3 is a security release that contains an important fix for a critical vulnerability that has been present in the plugin since version 2.0, released in 2012. According to Jetpack team member Sam Hotchkiss, a stored XSS vulnerability was found in the way that some Jetpack shortcodes are processed, which allows an attacker to…
In this episode of WordPress Weekly, Marcus Couch and I are joined by Andrea Middleton, who works at Automattic as a Community Organizer for the WordPress open source project. We discuss a number of topics including, updates to the WordCamp Central website, the for-profit subsidiary, and the experimental WordCamp incubator program. At the conclusion of…
JetBrains announced today that it has released a security update for PhpStorm and all of its other IntelliJ-based IDEs due to a set of critical vulnerabilities: The cross-site request forgery (CSRF) flaw in the IDE’s built-in webserver allowed an attacker to access local file system from a malicious web page without user consent. Over-permissive CORS…
The WordPress core team has released WordPress 4.5.2 which patches two security vulnerabilities in WordPress versions 4.5.1 and below. The first is a SOME vulnerability (Same-Origin Method Execution) in Plupload, the third-party library WordPress uses for uploading files. The second is a reflected cross-site-scripting vulnerability in MediaElement.js, the third-party library used for media players. Auto…
Ninja Forms, a popular plugin active on more than 500K websites, released an update 48 hours ago that addresses a critical security vulnerability. Wordfence is reporting that Ninja Forms versions 2.9.36 to 2.9.42 contain multiple security vulnerabilities. One of the vulnerabilities allows an attacker to upload and execute code remotely on WordPress sites. The only…
John James Jacoby, lead developer of bbPress, has released bbPress 2.5.9 to patch a security vulnerability, “bbPress 2.5.8 and below are susceptible to a cross-site-scripting vulnerability that’s due to the way users are linked to their profiles when they are mentioned in topics and replies,” Jacoby said. Marc-Alexandre Montpas is credited for responsibly disclosing the…
Templatic, a WordPress commercial theme company, reported on Saturday, April 30th, that its site was hacked. Files and databases containing customer usernames and passwords were compromised. According to R. Bhavesh, founder of Templatic, the data is being held for ransom money. The hacker is now threatening us via email and demanding ransom money be paid.…
In this episode of WordPress Weekly, Marcus Couch and I are joined by Mika Epstein. Epstein reviews plugins before they’re added to the WordPress plugin directory and volunteers on the WordPress support forums. We learn what the plugin review process is like and common security issues she discovers. I was shocked to learn that Epstein…
Sucuri, a website security company that specializes in securing WordPress (and other CMS) sites, announced that SSL certificates are now available at no cost to all customers who make use of the company’s firewall. As a sponsor of the Let’s Encrypt initiative, Sucuri joins Automattic as one of the first companies to fully automate free…
In this episode of WordPress Weekly, Marcus Couch and I discuss the news of the week, including a big move for VersionPress as it transitions into an open source project. We provide an update on the development status of bbPress and BuddyPress. We also share details of a critical security vulnerability that was patched in…
Authorities have not yet identified the hacker behind the Panama Papers breach, nor have they isolated the exact attack vector. It is clear that Mossack Fonseca, the Panamanian law firm that protected the assets of the rich and powerful by setting up shell companies, had employed a dangerously loose policy towards web security and communications.…
Vladimir Garagulya, developer of the User Role Editor has patched a critical security vulnerability. User Role Editor is used to edit, manage, and create user roles and capabilities and is active on more than 300K sites. User Role Editor 4.24 and below allows any registered user to gain administrator access. Wordfence, a popular security plugin…