security

Critical Vulnerability Patched in EWWW Image Optimizer Plugin

Yesterday the security team at Wordfence disclosed a critical remote code execution vulnerability in the EWWW Image Optimizer to Shane Bishiop, the plugin’s author. Bishop acted quickly to patch the plugin and an update was pushed out to WordPress.org users this morning. According to Wordfence, the vulnerability affects multisite WordPress (more…)

Jetpack 4.0.3 Patches a Critical XSS Vulnerability

Jetpack 4.0.3 is a security release that contains an important fix for a critical vulnerability that has been present in the plugin since version 2.0, released in 2012. According to Jetpack team member Sam Hotchkiss, a stored XSS vulnerability was found in the way that some Jetpack shortcodes are processed, (more…)

Patches Featured Image

The WordPress core team has released WordPress 4.5.2 which patches two security vulnerabilities in WordPress versions 4.5.1 and below. The first is a SOME vulnerability (Same-Origin Method Execution) in Plupload, the third-party library WordPress uses for uploading files. The second is a reflected cross-site-scripting vulnerability in MediaElement.js, the third-party library (more…)

Ninja Forms Featured Image

Ninja Forms, a popular plugin active on more than 500K websites, released an update 48 hours ago that addresses a critical security vulnerability. Wordfence is reporting that Ninja Forms versions 2.9.36 to 2.9.42 contain multiple security vulnerabilities. One of the vulnerabilities allows an attacker to upload and execute code remotely (more…)

bbPress 2.5.9 Patches Cross-Site-Scripting Vulnerability

John James Jacoby, lead developer of bbPress, has released bbPress 2.5.9 to patch a security vulnerability, “bbPress 2.5.8 and below are susceptible to a cross-site-scripting vulnerability that’s due to the way users are linked to their profiles when they are mentioned in topics and replies,” Jacoby said. Marc-Alexandre Montpas is (more…)

Templatic Hacked, Files and Databases Compromised

Templatic, a WordPress commercial theme company, reported on Saturday, April 30th, that its site was hacked. Files and databases containing customer usernames and passwords were compromised. According to R. Bhavesh, founder of Templatic, the data is being held for ransom money. The hacker is now threatening us via email and (more…)

WordPress Weekly Featured Image

In this episode of WordPress Weekly, Marcus Couch and I discuss the news of the week, including a big move for VersionPress as it transitions into an open source project. We provide an update on the development status of bbPress and BuddyPress. We also share details of a critical security (more…)