BuddyPress 2.3.3 is available and users are encouraged to update as soon as possible. A few security vulnerabilities were discovered in BuddyPress Messages, a core component that allows users to send and receive private messages. A vulnerability was responsibly disclosed to the BuddyPress team that could allow members to manipulate a failed private outbound message…
On this week’s episode, Marcus Couch and I talk about the news of the week, including the release of WordPress 4.2.4 which patches six security vulnerabilities. I shared my experience attending Prestige last weekend while Marcus describes what it was like to watch the livestream. Marcus and I closed out the show with a candid…
Netanel Rubin, a vulnerability researcher for Check Point Software and credited for properly disclosing a security vulnerability to WordPress, published the first in a trilogy of posts that explains how he discovered it. The vulnerability was discovered during a full audit of WordPress’ code base in which Rubin praised the efforts of the WordPress development…
When WordPress 4.2.3 was released last week, not only did it patch a critical security vulnerability, but also adversely impacted a number of sites. Changes to the Shortcode API which were necessary as part of the patch caused some plugins that rely on the API to break. These changes were not immediately communicated to plugin…
WordPress 4.2.3, a critical security release, was automatically pushed out to users yesterday to fix an XSS vulnerability. Shortly afterwards, the WordPress.org support forums were flooded with reports of websites broken by the update. Roughly eight hours later Robert Chapin (@miqrogroove) published a post to the Make.WordPress.org/Core blog, detailing changes to the Shortcode API that…
WordPress users in the Americas woke this morning to find update notices in their inboxes due to a critical security vulnerability. WordPress 4.2.3 was released today and automatically pushed out to sites that have auto-updates enabled. Because this is a security release for all previous versions of WordPress, those who do not have automatic update…
If you have Adobe Flash installed, you’ll want to make sure it’s updated to the latest version as it patches a critical security vulnerability. According to The Register, confidential source code was stolen from Hacking Team and leaked online. Within the leaked source code, software vulnerabilities used by Hacking Team to break into PCs was…
While on stage at WordCamp Europe answering a question related to WordPress’ security track record, Matt Mullenweg named Nikolay Bachiyski as the first Security Czar for the WordPress project. https://twitter.com/redcrew/status/614414379380011009 Bachiyski is employed by Automattic and has been a member of the WordPress community for more than 10 years. Over that time period, he’s established…
One of the habits I developed when I started using WordPress is to always read a plugin’s changelog before updating. The changelog is a communication channel that bridges the gap between me and the developer. It tells me what’s changed, what to expect, and any other information the developer thinks I should know. The most…
WooCommerce 2.3.11 patches an object injection vulnerability discovered by Sucuri. According to the security research company, the vulnerability is only present when the PayPal Identity Token option is set in WooCommerce. Researchers used a combination of WordPress and WooCommerce components with a known PHP bug and were able to download critical files, including wp-config.php which…
Jeff Ikus of WooThemes, announced on the company’s themes development blog, that it has pushed out updates to all of its products that use the prettyPhoto library. The update fixes a DOM based cross-site scripting vulnerability discovered in 2014. prettyPhoto is a jQuery lightbox clone used in a potentially large number of WordPress products. If…
Sucuri launched a new free performance tool today. The Global Website Performance Tester allows anyone to enter a URL and get a quick assessment of how fast the website is loading from 13 globally distributed testing stations. Results include three key metrics: connection time, time to first byte (TTFB) and total load time. At the…
Jetpack and the Twenty Fifteen default theme have been updated after a DOM-based Cross-Site Scripting (XSS) vulnerability was discovered. According to Sucuri, any plugin or theme that uses Genericons is vulnerable due to an insecure file included within the package. Genericons ships with a file called example.html which is vulnerable to attack from the Document…
This morning we reported on an XSS vulnerability in WordPress 4.2, 4.1.2, 4.1.1, and 3.9.3, which allows an attacker to compromise a site via its comments. The security team quickly patched the vulnerability and released 4.2.1 within hours of being notified. WordPress’ official statement on the security issue: The WordPress team was made aware of…
Klikki Oy is reporting a new comment XSS exploit vulnerability in WordPress 4.2, 4.1.2, 4.1.1, and 3.9.3, which allows an unauthenticated attacker to inject JavaScript into comments. If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.…