security

WordPress REST API Vulnerability Exploits Continue

It has been nearly two weeks since the WordPress security team disclosed an unauthenticated privilege escalation vulnerability in a REST API endpoint in 4.7 and 4.7.1. The vulnerability was patched silently and disclosure was delayed for a week to give WordPress site owners a head start on updating to 4.7.2. (more…)

WordPress Weekly Featured Image

On this episode, Marcus Couch and I are joined by Morten Rand-Hendriksen to discuss his WordPress Telemetry proposal. We discuss the potential benefits of having an opt-in usage data collection system that could help core developers and others make informed decisions. Rand-Hendriksen also shares what he’s learned from teaching WordPress (more…)

WP Super Cache 1.4.9 Patches Multiple XSS Vulnerabilities

WP Super Cache is a nearly 10-year-old plugin that is maintained by Donncha Ó Caoimh and is actively installed on more than a million sites. Releases have been far and few between, but Ó Caoimh has released WP Super Cache 1.4.9 that patches cross-site-scripting vulnerabilities on the settings page. “Those pages (more…)

WordPress 4.7.1 Fixes Eight Security Issues

WordPress 4.7.1 is available for download and fixes eight security issues that affect WordPress 4.7 and below. The PHPMailer library was updated to patch a remote code execution (RCE) vulnerability. WordFence reported the vulnerability last month as critical and that it affects WordPress core. However, in the announcement post for (more…)

WP eCommerce 3.11.4 Patches SQL Injection Vulnerability

Over the weekend, the WP eCommerce team released version 3.11.4 of its e-commerce plugin. The update patches an SQL injection vulnerability that was responsibly disclosed by Mika Epstein, a member of the WordPress.org plugin review team. According to Justin Sainton, lead developer of WP eCommerce, the team was notified of the vulnerability on (more…)