Slavco Mihajloski, security researcher at Sucuri, has discovered a critical SQL injection vulnerability in NextGEN Gallery, a popular WordPress plugin that’s active on more than a million sites. Mihajloski gives the vulnerability a 9 out of 10 on Sucuri’s DREAD scale. Dread stands for Damage, Reproducibility, Exploitability, Affected Users, and Discoverability. Each category (more…)
The BuddyPress development team has released BuddyPress 2.7.4 to address a security vulnerability that affects all versions back to 2.0. According to John James Jacoby, lead developer of BuddyPress, “This version patches a vulnerability to the BuddyPress core attachments API that could allow arbitrary file deletion on certain installation configurations.” The (more…)
In this episode of WordPress Weekly, Marcus Couch and I are joined by Adam Warner, SiteLock’s WordPress evangelist. Warner describes how he got involved with WordPress and how it helped shape his career. We discuss his crowdfunding campaign to democratize publishing which didn’t turn out so well. Near the end (more…)
Ninja Forms, a popular plugin active on more than 500K websites, released an update 48 hours ago that addresses a critical security vulnerability. Wordfence is reporting that Ninja Forms versions 2.9.36 to 2.9.42 contain multiple security vulnerabilities. One of the vulnerabilities allows an attacker to upload and execute code remotely (more…)
On this episode of WordPress Weekly, Marcus Couch and I were joined by Drew Jaynes, web engineer for 10up, and release lead for WordPress 4.2. Jaynes explains how a release lead is chosen, their responsibilities, and what their role is. Release leads are shepherds who work with multiple teams to (more…)
WordPress 4.1.2 is available and is a critical security update for all previous versions of WordPress. The release has eight security fixes, one of which is high risk, three are medium-low risk, and the last four added to harden WordPress. This is the first major security update to WordPress core (more…)
For the past week, security firm Sucuri has worked with the WordPress core security team to address a cross site scripting vulnerability discovered in more than a dozen popular WordPress plugins. The vulnerability stems from the improper use of the add_query_arg() and remove_query_arg() functions. Inaccurate information within the WordPress Codex (more…)
First reported by Sucuri, the WPTouch plugin has a dangerous security vulnerability and users are encouraged to update immediately. WPTouch is used to quickly add mobile support to websites and has over 5 million downloads making it one of the most popular plugins in the WordPress plugin directory. According (more…)
The developers of Pods, a popular WordPress plugin used to create and extend custom post types, content types, taxonomies, users, media, or comments, has released an update that addresses a critical security vulnerability. Version 2.4.3 and all previous versions of the plugin have been patched in case you can’t upgrade (more…)
Duo Security is a business that provides two-factor authentication services across multiple platforms. Late last week, the company announced on their blog they discovered a security vulnerability in their WordPress plugin. According to Duo, the vulnerability only affects WordPress Multisite installations where the plugin is enabled on an individual per-site (more…)
Osirt, a malware security company is reporting that the WordPress theme OptimizePress contains a significant security vulnerability. According to the security bulletin published a few days ago, the problem lies within the Media-upload.php file. When a browser loads this file within the theme, the media upload screen appears. From here, (more…)
Themify has announced that they have discovered and confirmed a vulnerability in their framework. The vulnerability stems from an unsecure file named themify-ajax.php. The fix was released on November 9th, 2012 but the auto upgrade process failed to delete the file. Themify states they have “recently received several reports of (more…)